The CyberWire Daily Podcast 9.2.20
Ep 1165 | 9.2.20

Facebook’s latest takedowns reach Pakistan, Russia, and the US. Election meddling. Chinese espionage looks inward, again. New alt-coin stealer. NZX DDoS update. That Twitter hack.


Dave Bittner: Facebook's August takedowns included coordinated inauthenticity from Pakistan, Russia and a U.S. strategic communication firm. CISA and the FBI say, nope, the Russians weren't in voter databases. A Chinese APT turns its attention from Europe back to Tibet. A new cryptocurrency stealer is active in central Europe. New Zealand's DDoS attacks may be an extortion attempt. Joe Carrigan has the story of a reporter's stolen Facebook account. Our guest is Ophir Harpaz from Guardicore Labs with their Botnet Encyclopedia. And there may be another teenage mastermind behind last month's Twitter hack.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 2, 2020. 

Dave Bittner: During August, Facebook took down three networks for engaging in coordinated inauthentic behavior - that is, organized disinformation. The activity broke down as follows - 435 accounts, 103 pages, 78 groups and 107 Instagram accounts run from Pakistan were removed. They sought influence in both Pakistan and India. The Stanford Internet Observatory characterizes these as aiming to counter criticism of either Islam or Pakistan's government. 

Dave Bittner: Thirteen accounts and two pages operated from Russia were taken down. Facebook said these were linked to individuals associated with past activity in the Russian Internet Research Agency. This activity was directed mostly against the U.S., the U.K., Algeria and Egypt, with plenty of QAnon and COVID-19 chatter. Graphika says much of the network's activity involved redirection to PeaceData, which represents itself as a progressive independent news service. PeaceData - it's only fair to say - has reacted with outrage, shocked and appalled by what they call the ugly lie that they're a Russian propaganda tool. Facebook took action against these networks on the strength of a tipoff from the FBI. 

Dave Bittner: Fifty-five accounts, 42 pages and 96 Instagram accounts linked to the Washington-based communications firm CLS Strategies were removed. This network devoted itself to Venezuela, with some attention also paid to Mexico and Bolivia. BuzzFeed reports that CLS Strategies didn't respond directly to a question about coordinated inauthenticity beyond briefly stating a version of its corporate mission. The line the accounts took were, in Venezuela, pro-opposition, in Bolivia, pro-regime and in Mexico, anti-MORENA, a leftist political party. 

Dave Bittner: Facebook did note that CLS as a whole wasn't banned, since much of the firm's activity was legitimate. It's not yet known on behalf of what clients CLS may have been working. 

Dave Bittner: To return to PeaceData, The New York Times notes that the Internet Research Agency may have succeeded in making an American connection. According to the Times, the Russians succeeded in getting actual Americans to write for PeaceData, which would account for the relatively good idiomatic control on display in its posts. Times says the Internet Research Agency posted offers for freelance writers on a job board. Times also says it spoke to one such freelancer, who was steered to PeaceData data by an IRA (ph) job board. The writer asked to remain anonymous because he didn't wish his professional reputation damaged by his having been duped by the Russian government. He was paid $75 a post, which, relatively speaking, is chicken feed in the freelance market. 

Dave Bittner: So in this case, the Russians appear to have made use of the usefully gullible, what the Russian organs less politely call the (speaking Russian). The content on PeaceData's site, which the Times believes to have been designed to harm the candidacy of Democratic nominee Joe Biden by fomenting dispute within what might otherwise be a more disciplined left, contains complaint that the Democrats are insufficiently progressive on various issues and denunciation of alleged Republican closeness to unsavory far-right elements. When President Trump appears on PeaceData pages, it's with horns, hooves and a tail - metaphorically speaking. So if the Times is right, it's a relatively sophisticated propaganda gambit. Of course, PeaceData could just be the progressive site it claims to be, but it might be a front, too. 

Dave Bittner: Chatter about Russian compromise of U.S. voter databases has come to nothing. CISA and the FBI haven't seen anything of the kind during this election cycle. If you look at the Twitter comments in the agency's thread, you'll find many skeptical one-liners, but we think CISA and the Bureau have got this one right. Yesterday's flurry of tweets linking back to a Russian newspaper article seemed to be much ado about some matters of public record. 

Dave Bittner: Researchers at Proofpoint report that Chinese government threat group TA413, which earlier deployed Sepulcher malware against European targets, is now using it in a spear-phishing campaign directed at the Tibetan diaspora. This, Proofpoint thinks, represents a realignment of Chinese cyber-espionage assets from Western targets of opportunity and urgency the COVID-19 pandemic threw to the fore and back to more traditional targeting of domestic groups the PRC holds to be unreliable and undesirable, like, of course, Tibetans. 

Dave Bittner: The recent wave of distributed denial-of-service attacks against targets in New Zealand - most prominently, those against the NZX stock exchange - may have been part of an extortion campaign. Stuff reports that Government Communications Security Bureau Minister Andrew Little said that the GCSB is investigating emails received by victims shortly before the attacks that demanded a bitcoin payoff. If there was no payment, the attackers would render the victims' networks unavailable. Beyond that, GCSB hasn't said much. The investigation continues. 

Dave Bittner: The mastermind of the July 15 Twitter hack in which several high-profile and high-value accounts were briefly but effectively hijacked is said, by the U.S. Justice Department, to have been 17-year-old Graham Ivan Clark. It now appears that an additional person is of interest to the investigators, and this person of interest is of even more tender years. 

Dave Bittner: The New York Times reports that the FBI has served a Massachusetts teenager with a search warrant and tossed his parents' home. The parents themselves aren't suspects, but their son, who quite properly lives with them, is. 

Dave Bittner: The warrant and other documents are under seal, and the teenager has not been charged. The New York Times declines to name the young man on account of his youth, but they do cite sources that told them the youth of interest may have been at least partly responsible for planning the breach and carrying out some of its most sensitive and complicated elements. So instead of one mastermind, the Twitter hack may, in fact, have had two. 

Dave Bittner: The folks at Guardicore Labs recently launched a Botnet Encyclopedia, which they describe as a universal knowledge base of past and present botnet campaigns researched by the lab's team. Ophir Harpaz is a security researcher at Guardicore Labs. 

Ophir Harpaz: So Guardicore has a special network of sensors deployed worldwide. And each one of these sensors is able to capture cyberattacks and record every single event that takes place in these attacks. And since we have this very unique database of mass-scale attacks, we decided that we would like to share it with the security community so that both security researchers, threat analysts and defenders can take a look at the data and maybe incorporate the data into their policies and defensive mechanisms and maybe to expand the research themselves. I mean, we have all this data, and we thought, why keep it for ourselves? That's basically the main motivation. 

Dave Bittner: So you put together Guardicore's Botnet Encyclopedia. Can you give us some examples? What are the types of things that people can expect to find in here? 

Ophir Harpaz: So we mostly see mass-scale attacks. These are opportunistic attacks that aim at a very, very high number of servers worldwide. And we mostly see denial-of-service attacks - distributed denial-of-service, DDoS - and cryptomining attacks. But from time to time, we also see very interesting attacks in technical terms or in terms of the scope that the attack campaign reaches. So we can find both Mirai-like campaigns that we're all very familiar with and used to, but from time to time, we see more unique type of attacks. So we can find both in the encyclopedia. 

Dave Bittner: And where do you suppose things are headed when it comes to botnet? From the research that you're doing, having a very close look at these sorts of things, is this something that we're getting a handle on or are we staying even with the task or are they gaining ground on us? 

Ophir Harpaz: I think it's a kind of - well, I'm not the first to say it but it's kind of a cat and mouse game. So attackers are definitely becoming more sophisticated. I can say that for sure. I'm looking into these attacks. They are very talented software developers. Many of them know what they do and why they do it. 

Ophir Harpaz: But on the other hand, we're also becoming smarter. We're monitoring their malicious activity, and we're improving our security measures accordingly. So I can't really say that we're getting ahead of them all the time, but it's kind of, you know, one step on their end and then we're making one step to achieve their pace. 

Dave Bittner: That's Ophir Harpaz from Guardicore Labs. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: An interesting story came by - this is from WHEC, which is a television station in Rochester, N.Y. - from one of their reporters named Deanna Dewberry. And she ran into some interesting trouble with her Facebook page. What's going on here, Joe? 

Joe Carrigan: That's right. She has a professional Facebook page that she maintains on Facebook, of course, and has over 11,000 followers and 10,000 people who like the page. And at one point in time, recently, her Facebook page has been hijacked. And it looks like this was a pretty good social engineering attack that they targeted Deanna. She got a notification message telling her that she had violated Facebook's community standards and that her account could be disabled - right? - which is a typical fear tactic that social engineers use to get you to short-circuit your thinking... 

Dave Bittner: Right. 

Joe Carrigan: ...And then was essentially phished for her credentials. So following the advice of these fraudsters - they'd already gotten her attention - she is prompted to enter her username and password and then change her password. And then one prompt asks for her ID, which made her suspicious, but she researched it, and according to Facebook's Help section, they will ask for your ID when there's suspicious activity. 

Joe Carrigan: Now, I don't know about you, Dave, but if Facebook is actually asking me for my driver's license, that's it. I'm not going to give Facebook my driver's license, period. 

Dave Bittner: (Laughter) OK, fair enough. Fair enough. 

Joe Carrigan: I'm not a - I don't have a public-facing Facebook presence for, you know, Joe Carrigan from JHU. That's just not how I roll. That's - I do that on Twitter but not on Facebook. I had one friend who said to Facebook, no, I'm not going to give you my ID. I've been on Facebook for 10 years. I use a pseudonym, and I like using a pseudonym, and if you don't like that, then we can terminate our relationship right now. And this person is still on Facebook, so I guess it worked out. But this person also doesn't have any public-facing pages as well, but I can see why they wanted it. 

Joe Carrigan: Now, I will bet that Facebook asked these scammers for the ID and the scammers just turned around and asked Deanna for her ID so then they could present it and look like Deanna to Facebook. Once they got control of the page, they deleted all of her posts that were on that page. They completely cleared out the history, and they turned it into a hair care product, and they limited the audience to only people in Vietnam and Cambodia, which is interesting because now her 10,000 or 11,000 followers in the U.S. can't see your page anymore. So... 

Dave Bittner: Right. 

Joe Carrigan: ...Why would they do this? Then they start selling hair care products. Well, my guess is that they wanted to take over a page that had a lot of followers so that when they limited the access, the global access to these two countries, people in those countries would see, hey, this page already has a lot of followers. It must be legit. And... 

Dave Bittner: Right, lots of people like these hair care products. They must be good. 

Joe Carrigan: Exactly. And one of Deanna's biggest gripes here - and it's a legitimate gripe - is that these people then proceeded to buy advertising to promote this page, and Facebook took advertising dollars from these scammers to promote this page to almost half a million viewers. And she has a legitimate gripe here. 

Joe Carrigan: Fortunately, she has taken care of the access to the page and has regained access to it, and I hope that she has enacted two-factor authentication. Facebook offers three ways you can do multifactor authentication. They'll send you a text message with a code. They'll give you a software token that you can use, like, Google Authenticator with. Or you can actually use something like a YubiKey - use a hardware token. 

Dave Bittner: Right. 

Joe Carrigan: And that's how I have my account secured. If you don't want to make the expense of buying a YubiKey, Google Authenticator, I think, is fine. It's pretty good. Any of the authentication apps are all pretty much the same inner workings. The only risk is that at some point in time, you have to expose your seed (ph) on a webpage. And as long as nobody's taking screenshots of your machine while that's happening, you're going to be fine. But if somebody is taking screenshots of your machine, if there is somebody malicious on the inside and they have that kind of control, then they're going to have access to all your multifactor authentication. But that's kind of low-risk. 

Dave Bittner: Yeah, (laughter) yeah. Well, so the good news is she got control back. 

Joe Carrigan: Right. 

Dave Bittner: But it's interesting case here, and I guess a reminder that anything that is of value, you should have multifactor set up for. 

Joe Carrigan: Absolutely, absolutely. 

Dave Bittner: Yeah. 

Joe Carrigan: It's unfortunate, especially since they deleted all of her content. She was using a lot of the content for writing books. And Facebook says they can't restore it for her, which I think is unfortunate. But... 

Dave Bittner: Yeah, yeah. Especially as hard as it is to delete a Facebook page or a Facebook account... 

Joe Carrigan: Right, (laughter) right. 

Dave Bittner: ...You know? Like, really, it's hard to believe that anything is gone forever when you upload it to Facebook. 

Joe Carrigan: Yeah, I don't think that information is gone. I don't think those posts don't exist anymore. I just think... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...The visibility is set to false and that Facebook just doesn't want to take the time to go back through and do that for Deanna. And... 

Dave Bittner: Yeah. 

Joe Carrigan: ...I kind of - I understand why they don't want to do that, because if they do that, they may think they have to do it for everybody, but they really don't. They can be selective. 

Dave Bittner: Yeah. 

Joe Carrigan: This is a case here where I think it would be good for them. I mean, she's got a pretty big following. She's a pretty well-established and prestigious journalist. And I don't think she's going to stop talking about this. It may be in Facebook interest to go ahead and help her out here. 

Dave Bittner: All right, interesting story, for sure. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it's faster than a speeding bullet. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.