The CyberWire Daily Podcast 9.8.20
Ep 1168 | 9.8.20

Ransomware or wiper? Emotet’s resurgence. Updates on Services NSW breach. COVID-19 cyberespionage. BTS replaces Guy Fawkes?


Dave Bittner: Thanos is back, but as ransomware or a wiper? Cyber agencies in France, Japan and New Zealand warn of a spike in Emotet infections. Australian authorities say 186,000 were affected by the breach at Services (ph) NSW. Georgia decries cyber-espionage at its Lugar Lab. COVID-19 cyber-espionage efforts have been intense, as have counterintelligence efforts designed to defend labs and supply chains. Rick Howard looks at identity management. Ben Yelin covers tightened surveillance of political advisers. And Anonymous may have a successor - K-pop stans.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 8, 2020. 

Dave Bittner: And we're back from the Labor Day weekend. Did you miss us? We missed you and hope you enjoyed the holiday, if holiday it was in your neck of the woods. Here are some stories that broke over the long weekend. 

Dave Bittner: Early Friday, Palo Alto Networks' Unit 42 reported a Thanos campaign against two government organizations not identified in the report in the Middle East and North Africa regions. This variant overwrites the master boot record to deliver its demand for $20,000 in bitcoin. But this is both unusual and, from the attackers' perspective at least, counterproductive. CyberScoop quotes Recorded Future as observing that the attack may be a destructive wiper posing as ransomware. 

Dave Bittner: The good news, such as it is, seems to be that the attempt to overwrite the master boot record was bungled, unsuccessful. Bleeping Computer notes that Thanos affiliates were less than fully successful in more traditional June attacks against European targets. 

Dave Bittner: French, Japanese, and New Zealand authorities have issued warnings of an increase in email-borne Emotet campaigns actively working against targets in their countries. Many of the payloads are carried in malicious PDF or, more recently, doc attachments. Some government agencies have themselves been the victims of the botnet-driven campaign, and ZDNet reports that France's cybersecurity agency, ANSSI, yesterday issued a warning that government officers should avoid opening emails with attached doc files. 

Dave Bittner: The Sydney Morning Herald has an update on the data breach at Service NSW. Forty-seven compromised employee email accounts were used to obtain personal data of 186,000 customers and staffers. At-risk customers are being notified by mail. 

Dave Bittner: The opposition Labor Party has expressed its dissatisfaction with the way the government's handled the affair. Labor's shadow minister for public services, Sophie Cotsis, said that Minister for Customer Service Victor Dominello needs to face the public and face the music for the breach. Quote, "under Mr. Dominello's watch, cybercriminals have broken into Service NSW and may have stolen people's birth certificates, credit card details, medical records, financial information and even sensitive legal enforcement information," Ms. Cotsis said, enumerating the kind of PII believed to have been compromised. 

Dave Bittner: Georgian authorities confirm that a cyberattack on the Lugar Lab biomedical research center in Tbilisi took files related to research into the COVID-19 pandemic. The cyber-espionage is not yet attributed to anyone, but Georgia's foreign ministry says it's investigating and won't hesitate to name the perpetrator once they've determined who's responsible. 

Dave Bittner: Georgian authorities haven't said so, but the country has long been the subject of Moscow's attentions. The Lugar Laboratory, named after former U.S. Senator Richard Lugar, represents a joint attempt by the governments of the United States and Georgia to provide safe and even positive uses for the talents of Soviet-era biowar researchers, a significant number of whom had worked in Georgia. Its origins lie essentially in that nonproliferation effort. Work on the lab, which falls under Georgia's National Center for Disease Control and Public Health, began after a 2004 agreement between Washington and Tbilisi. Constructed with the support of U.S. funding, the Lugar Lab became fully operational in 2013. 

Dave Bittner: Any American cooperation with a former Soviet Republic, indeed with any former Warsaw Pact country, amounts to a burr under Russian saddles, and so it's not surprising that the Lugar Lab should have done so. With Moscow disposed to read the worst intentions in anything Washington does, that's understandable. Less understandable, and even less forgivable, are the Russian disinformation campaigns that have imputed a Georgian American conspiracy to deliberately spread infectious diseases. In any case, the Lugar Lab is the sort of organization that would quickly draw the attention of Russian intelligence services. 

Dave Bittner: But do remember, it's worth noting that Russian intelligence services amount to the usual suspects and that Georgia's government hasn't yet called them out. 

Dave Bittner: While Russia's SVR Foreign Intelligence Service has displayed a close interest in pandemic-related biomedical research, Chinese and Iranian intelligence services have also undertaken considerable efforts to collect intelligence on COVID-19 work. 

Dave Bittner: So the incident at the Lugar Lab isn't a one-off. The New York Times reports that COVID-19 research has become a common target for collection by espionage agencies. In this, Chinese services have been particularly active. Their targets have tended to be U.S. research universities. The Times' story makes particular mention of the University of North Carolina, with some effort also made to penetrate biomedical companies. 

Dave Bittner: It appears they've had limited success with the companies they've targeted - Gilead Sciences, Novavax and Moderna. But universities seem to offer a relatively softer target than government or corporate labs. And according to the Times, Beijing has sought to make use of its influence with the World Health Organization to facilitate collection of biomedical intelligence. 

Dave Bittner: Russian efforts to steal COVID-19 research have been more focused on the United Kingdom, where Oxford University and its pharmaceutical corporate partner AstraZeneca have been targeted by the espionage services. 

Dave Bittner: CyberScoop has an account of U.S. efforts to secure vaccine research. Operation Warp Speed is the name that's been given to the American crash effort to produce a vaccine by January, and the program has a significant security component. Formerly known as security and assurance, this subprogram represents a joint effort among the Defense Digital Service, National Security Agency, FBI, the Department of Homeland Security and the Department of Health and Human Services. The program provides security advice and assistance to the companies developing the vaccine and to the companies establishing the supply chain that will deliver the 300 million doses Warp Speed intends to produce by the beginning of 2021. 

Dave Bittner: And finally, remember Anonymous? Sure, the Guy Fawkes-masked anarcho-syndicalist collective tended to overpromise and underdeliver, especially after some of its more prominent members were arrested. Anyway, there may be a successor movement - K-pop stans, devoted followers of one or more K-pop bands. This phenomenon appears to be a large and loose aggregation - more collection than collective - of K-pop hotheads. The K-pop stans have apparently undertaken spontaneous hacktivism a few times during the past few months of lockdown and disquiet. 

Dave Bittner: Forbes points with alarm to what it calls a 100 million-strong crowd of hackers and hacktivists, the BTS ARMY. BTS is a popular K-pop boy band - BTS, standing at least sometimes for Burn The Stage, as we remember from the TV and YouTube commercials, and ARMY, representing an acronym for Adorable Representative MC for Youth. BTS's hit "Dynamite" continues at the top of the Hot 100. But whether this represents a serious movement or simply another reason to wish for middle schools everywhere to reopen as soon as possible is unclear - still, arguably better than Rickrolling. 

Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is our chief analyst, also our chief security officer here at the CyberWire, doing his best to keep us all out of trouble. Rick, always great to have you back. 

Rick Howard: Oh, man. Don't put that pressure on me (laughter). 

Dave Bittner: I know, right? Who needs that? 

Dave Bittner: Well, listen; this week on "CSO Perspectives," you have gathered up members of the Hash Table, and you are tackling identity management. Now, to me, that is one of those things that sounds simple on the surface, but the devil is in the details, right? 

Rick Howard: It's absolutely true. And after spending a couple of weeks on this and talking to a bunch of experts about this, it turns out there's, like, four things that any identity management program should have. And I'll just kind of go through the list, all right? 

Rick Howard: So the first one is you should have a way to federate with your partners, all right? And we talked about that before, but it's basically trusting another organization. If they trust you and you trust this user, then they trust that user - so a way to automate that. That's been around for many, many years now - so federation. 

Rick Howard: The second one is you need an ability to give your employees - to escalate their privilege. It's kind of like the old sudo command if you're a Unix guy from back in the day - right? - but... 

Dave Bittner: Right. 

Rick Howard: ...On a grander scale. We need to be able - Rick doesn't run as an administrator all day long. He runs as a normal user, but he needs a way to get permission to do, you know, administrator-type things. So that's another key factor to it. 

Rick Howard: And then the third one is to automatic extra authentication, OK? This is the typical one where, you know, the CEO needs to get access to the M&A database, right? And maybe for that particular data set, we want to take extra care that the CEO is actually who she says she is, so we might throw an additional authentication layer on that, like two-factor or something, right? 

Dave Bittner: I see. 

Rick Howard: And then finally, the fourth thing that all identity management programs should have is a way to manage the identities of all your employees throughout their lifecycle - all right? - because, you know, many companies - you take on different jobs, you get promoted, you move laterally, right? 

Rick Howard: And I was talking to the Finning CISO - Suzie Smibert, old friend of mine - out of Canada. And she has a perfect way to describe this. She calls it entitlement accumulation. 

Suzie Smibert: You have someone that starts, say, front desk, and then they move into a support role, and then accounting and HR. And they move around, but they retain and accumulate entitlement as they move through your organization with their tenure. And that is especially prevalent with senior leaders because to develop senior leaders, generally, they get moved around organization. So you have senior leaders with access across a slew of business function just because they've been, you know, developed and grown through the organization. And that's a high risk if that identity was to be compromised. 

Suzie Smibert: So there is entitlement accumulation where we don't want to see it happen at times if employee move roles. But we do regular certification of entitlement, and then we remove a lot of access every single time we go through those exercise. What we've been doing is integrating our ID platform or other tools that manage an entity with the system of records for HR. So as a role or anything is changed in our HR systems, there's automated workflow that trigger entitlement review or change of entitlement in a suite of systems - not the entirety of our organization, but there is a lot of automation to help us not have hands on keyboard. 

Dave Bittner: OK, so interesting stuff for sure from Suzie. You know, one of the things that strikes me here, Rick, is that all this stuff that we've been talking about with identity management - how does that interact, how does that cross over with zero trust? Is that something that you and the Hash Table talked about? 

Rick Howard: We did talk about that. And what's interesting is that those two concepts in our network defender space really evolved in parallel. You know, if our listeners listen to the last week's episode, I kind of went through a history of identity management. And we really had - the tools came into focus where we were using them sometimes in the early 2000s, but they were stable by 2014. 

Rick Howard: Now, the idea of zero trust, they were kind of bopping around in the early 2000s, too, but really didn't get formalized until John Kindervag wrote the white paper in 2010. But today - even today - right? - most people struggle with their zero trust program, so it wasn't like we said we needed zero trust, so we needed identity management. That's not what happened. 

Rick Howard: In the early days, we used identity management as an HR tool, you know, to track employees as they moved around the organization. It wasn't - appeared lately that we realized that identity management is essential to do zero trust. But all of us are struggling to get there because they weren't built together in the first place. Now we're trying to kind of scoot them together. 

Dave Bittner: Yeah. All right, well, do check it out. It's "CSO Perspectives." It is part of CyberWire Pro. You can find out all about that on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, always great to check in with you. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: Interesting story from The Washington Post. This is written by Devlin Barrett. It's titled "Barr Tightens Rules on Surveillance of Political Candidates and Advisers." Some news here from Bill Barr, our attorney general. What's going on here, Ben? 

Ben Yelin: So this goes back to the Carter Page scandal, or the so-called Russiagate scandal, emanating out of the 2016 election. In that election, the FBI made an application to the Foreign Intelligence Surveillance Court to track some of the communications of Carter Page, who had been an adviser to the Donald Trump presidential campaign. When the FISA warrant was granted, he was no longer on that campaign. But obviously, this raised concerns about using the FISA process to initiate political investigations against presidential campaigns. This controversy grew, particularly when we learned that part of those applications were falsified. They didn't dot their I's and cross their T's. There was a lot of missing information and missing context. 

Ben Yelin: So what Attorney General Barr is trying to do here is to make sure that does not happen again. In order for there to be an investigation of a presidential campaign or any advisers, formal or informal, to that campaign, officials have to consider warning that person that foreign governments may be targeting them. If the federal government does not do that, the FBI director has to spell out in writing the reasons for not doing so. So these are new checks on the FBI's ability to initiate these investigations without informing those campaigns. 

Ben Yelin: So the way at least this theoretically would have worked in 2016 is the FBI would've had to have gone to the Trump campaign and said, hey, we have, you know, a little bit of information on one of your advisers, Carter Page. He might have connections to the Russian government. We wanted to give you a heads-up. Why don't you tell us about it, give us an explanation? We don't want to start a political investigation if this is not merited, if this is based on false information. 

Ben Yelin: So this goes into effect immediately. It is going to be in effect for the 2020 presidential campaign. And I think it, at least in the view of Attorney General Barr, will stop the FBI from pursuing surveillance efforts if it doesn't have all of its ducks in a row. 

Dave Bittner: So what's your take on this? Will this make a difference? How much of this is good faith, practical stuff? How much of it is, you know, rhetoric and political theater? 

Ben Yelin: Some of it certainly is political theater. I mean, for one, Carter Page had left the Donald Trump campaign by the time the FBI obtained the warrant. So this memo - it's not clear whether this memo would have actually - or the rules put in place here by Attorney General Barr would have stopped that surveillance because at that point, Carter Page was a private citizen. 

Ben Yelin: It's also unclear, based on these new regulations, who is potentially defined as an informal adviser to a political candidate. Political candidates have probably hundreds of informal advisers - hundreds, if not thousands. So is it somebody who's had a discreet communication with that campaign? You know, if, for example, former Vice President Joe Biden called up, you know, President Obama for an informal conversation on campaign advice, would that make, under this new policy, President Obama an official informal adviser to the campaign, and therefore not eligible for the type of surveillance practices that took place in 2016? So I don't think this has been a perfectly considered new set of regulations. 

Ben Yelin: I generally think it's important to avoid either actual political investigations during a presidential campaign or even the appearance of political investigations. I will note, you know, that nothing about the investigation into the Trump campaign had actually been released when people were voting in 2016. That's certainly in contrast to the information that was released about the investigation into former Secretary of State Hillary Clinton's email servers. But, you know, I think this is a valid effort to try and stop our law enforcement agencies from being overzealous and for starting political investigations during - while we're supposed to be engaged in a - small-d - democratic process. 

Dave Bittner: All right. Yeah, interesting development as we certainly wade deep into election season here, right, Ben? 

Ben Yelin: Absolutely, yeah. Something that we'll follow going forward. 

Dave Bittner: Yeah. All right, well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it's too cool for school. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.