The CyberWire Daily Podcast 9.23.20
Ep 1179 | 9.23.20

Naval Gazing around the South China Sea, and other disinformation. LokiBot is back in a big way. Darknet merchants busted. Cyber rioting along the Blue Nile.


Dave Bittner: Facebook takes down coordinated inauthenticity. A ransomware-involved death is attributed to DoppelPaymer. CISA and the FBI warn of coming election disinformation. LokiBot is back in a big way. Operation DisrupTor collars 170 dark net contraband merchants. Joe Carrigan comments on that botched ransomware attack in Germany that led to a woman's death. Our guest is Matt Davey from 1Password on why single sign-on isn't a silver bullet for enterprise security. And patriotic hacktivism flares along the Blue Nile.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 23, 2020. 

Dave Bittner: Facebook has taken down a Chinese disinformation network that sought to engage public opinion in the U.S. and even more so in the Philippines. They also took down a Philippine-based network that may have some connection to the government in Manila. TechCrunch summarizes the two examples of coordinated inauthenticity as involving 155 Facebook accounts, 11 pages, nine groups and seven Instagram accounts connected to the Chinese activity and 57 accounts, 31 pages and 20 Instagram accounts for the activity in the Philippines. Graphika calls the Chinese campaign Operation Naval Gazing - and that's N-A-V-A-L, like the academy in Annapolis - because it has to do with navies and supporting Beijing's expansive territorial claims in the South China Sea. The campaign is noteworthy for its use of AI to generate photos for account profiles. Expect to see more of this in future in authenticity. It's also worth noting that while the provenance of Operation Naval Gazing seems clearly to have been Chinese, the precise connection to the government in Beijing remains obscure. 

Dave Bittner: The Aachener Zeitung reports that investigators have identified the ransomware implicated in a woman's death in Nordrhein-Westfalen. It was DoppelPaymer. The victim died when University Hospital Dusseldorf had to divert her ambulance to another facility because its own admission systems had been rendered unavailable. Newsweek observes that DoppelPaymer, a fork of Evil Corp's BitPaymer ransomware, is associated with the Russian cyber underworld, and German prosecutors are accordingly looking east. Their investigation is focused on negligent homicide. And to make that case, the prosecutors will have to establish that the woman had a chance of survival had she been treated in Dusseldorf. That's not yet known. 

Dave Bittner: The DoppelPaymer infestation is said to have affected 30 servers at the hospital and to have gained entrance months ago, possibly in late 2019, by exploiting a now-patched Citrix VPN vulnerability. It appears that the gang's target may have been the Heinrich Heine University itself and not the university's hospital. The ransom note was addressed to the university. The New York Times says Dusseldorf police responded to the gang's ransom note to explain that they'd hit a hospital. At that point, the attackers stopped the attack and turned over a decryption key and then stopped responding. 

Dave Bittner: Much about the story remains unclear. The pattern in hospitals affected by ransomware has been they've found workarounds to continue emergency services even when admin systems and medical records were down and that they've deferred elective and non-urgent care. But so many critical systems are now networked that a comprehensive enough crash might cause so much confusion and chaos that a hospital might go on diversion, with emergency responders told to divert patients to other facilities. It may be that something along those lines went on in Dusseldorf. Presumably, more information will become available as the story develops. 

Dave Bittner: CISA and the FBI warn that foreign disinformation can be expected to call results of U.S. elections into question. The alert's central point involved the likelihood of foreign espionage services seeking to use any delays in counting or certifying votes as an opportunity to instill doubt. The agencies warn, quote, "State and local officials typically require several days to weeks to certify elections' final results in order to ensure every legally cast vote is accurately counted. The increased use of mail-in ballots due to COVID-19 protocols could leave officials with incomplete results on election night. Foreign actors and cybercriminals could exploit the time required to certify and announce elections' results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud and other problems intended to convince the public of the elections' illegitimacy," end quote. 

Dave Bittner: CISA has also warned of a resurgence in information-stealing LokiBot. The current surge began in July. LokiBot use as a keylogger for credential theft and for extracting other information from affected desktops. It can also be used to install a backdoor that can be used for further attacks. The malware affects Windows and Android systems. It's commonly distributed by phishing, smishing or waterholing attacks. 

Dave Bittner: The U.S. Justice Department yesterday announced the success of Operation DisrupTor, an international dragnet that's collared 170 dark net contraband merchants who'd been hawking their wares in such disreputable souks as AlphaBay, Dream, Wall Street, Nightmare, Empire, White House, DeepSea and Dark Market. One-hundred-nineteen arrests were made in the United States with two more made in Canada on American warrants. Forty two people were arrested in Germany, eight in the Netherlands, four in the United Kingdom, three in Austria and one in Sweden. The lead law enforcement agencies were the U.S. Federal Bureau of Investigation and Europol, but it was a big multinational operation. The individual agencies are too numerous to mention, but they included organizations in Austria, Cyprus, Germany, Canada, Portugal, the Netherlands, Sweden, the United Kingdom and Australia. The operation was called DisrupTor, as we noted, and that is a pun - disrupt Tor (ph). Tor, of course, is not necessarily or even typically nefarious, but one effect of this enforcement action is to disabuse criminals of the notion that Tor is a kind of safe haven or cloak of invisibility. So the Justice Department press release is not so much a word to the wise as it is a word to the wise guys. 

Dave Bittner: And finally, lest anyone forget that regional rivalries can be as serious as great power competition and far more hair-triggered, foreign policy reminds us that Egypt and Ethiopia are engaged in a protracted squabble over Nile water rights that's being fought so far largely in cyberspace. The foot soldiers of this conflict are largely patriotic hacktivists, so the confrontation may be closer to cyber riot than cyberwar. 

Dave Bittner: The dispute between the two countries centers on the Grand Ethiopian Renaissance Dam, which Ethiopia sees as a key development of national infrastructure and Egypt sees as a threat to its own water supply and its ancient connection to the Nile River. Cyberattacks began in late June, with Egyptian hacktivists of the Cyber Horus Group taking down and defacing a number of Ethiopian government websites. Ethiopian social media influencers followed with taunting as the reservoir began filling in July. 

Dave Bittner: While the ongoing exchanges in cyberspace don't appear to have been government-directed, that could change. Government action may be difficult to discern. Both Cairo and Addis Ababa have shown some ability to co-opt or inspire hacktivism, and both can be expected to remain interested in achieving and maintaining plausible deniability. 

Dave Bittner: 1Password recently released results of a survey looking at single sign-on and shadow IT, highlighting apps being used within an organization that fall outside of the scope of single sign-on. Matt Davey is chief experience optimist at 1Password. 

Matt Davey: The creation of a bunch of these reports always starts around kind of us trying to tell a story about the current situation. And I think what it always turns into is us finding something really interesting and new that we hadn't expected. So with this one, for example, you know, it was all around the time and how IT professionals are spending their time, especially in the kind of identity and access management area, and what those people kind of spend their time doing - you know, how we as a password manager can help with that as well. 

Dave Bittner: Lay it out for us. So what's the reality here that folks out there are dealing with? 

Matt Davey: So I mean, there were some good points and some bad points, right? So what we looked at is over the course of a year, people actually spend a full month of work on tasks that are repetitive and mundane. You know, resetting passwords is a huge time suck for these people. This impacts kind of, you know, productivity and everything. I mean, it can't be a nice thing, really. And it also looked at things like shadow IT and how working from home has kind of impacted that as well. 

Dave Bittner: So when it comes to resetting passwords, is that something that people are hesitant to automate because of the security implications there? 

Matt Davey: I think there's a bunch of reasons why you wouldn't want to install, you know, any extra thing that can go wrong in that process. I think, really, just having an underlying kind of solution for that - and we believe that that's an enterprise password manager, right? Like, there's one thing of telling someone to remember a password and then having to reset it every month. And then there's another thing of, you know, being able to trust that person with their own security. 

Dave Bittner: Well, let's go through some of the other details that you all discovered here. What were some of the interesting things that stood out to you? 

Matt Davey: So as I mentioned, there, you know, are good points to this as well. You know, prior to conducting our research, we actually feared that people would be more relaxed at home and more likely to slip up on kind of normal security behavior. But we were really pleasantly surprised to find out that, you know, only 20% of workers don't follow the company's security policy... 

Dave Bittner: Yeah, only (laughter). 

Matt Davey: ...When we asked that - kind of at all times. You know, with that 20%, you know, it doesn't come from a place of malice. Actually, 49% of people cite productivity as their top reason for circumventing IT's rules. I know I have been guilty of that at times. And I'm sure a lot of people have as well, you know - always in the kind of air of, I just need it done now rather than reviewed. But, yeah, I think we can get around that not with, oh, I just need it now, but, you know, I understand the process, and I understand how long it will take. 

Dave Bittner: That's Matt Davey from 1Password. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute, but perhaps more important than that, he is my co-host over on the "Hacking Humans" podcast. 

Joe Carrigan: (Laughter). 

Dave Bittner: Joe, it's great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got an interesting - well, this is commentary by friend of the show Graham Cluley... 

Joe Carrigan: Yep. 

Dave Bittner: ...Who most of you probably know from "Smashing Security" and his writing on cybersecurity issues. He's commenting on a story that The Associated Press published. The title of his article is "Hospital Patient Dies Following Botched Ransomware Attack." What's going on here, Joe? 

Joe Carrigan: So, apparently, what happened is these cybercriminals targeted Heinrich Heine University, and instead of getting the ransomware into Heinrich Heine, they got their ransomware into Dusseldorf University Clinic, which is affiliated with Heinrich Heine University, but it is not the same thing. And as a result, 30 servers at the clinic were encrypted, and the hospital began diverting patients, emergency patients, to other hospitals. And one of those patients was diverted to a hospital that was 20 miles away, and she did not survive, according to this. 

Dave Bittner: And that time could have made a difference, I suppose. 

Joe Carrigan: Absolutely, that time could've made a difference. Now, funny that this is from Graham Cluley because about a year ago, Graham Cluley sat in on the show for me because I had a very similar event with my wife, where she was taken to the hospital and if she was not in the hospital when what happened happened, she would not have survived. And if she was redirected to a different hospital or if we were in an area where a hospital is not as close as one is to our house, she probably would not have survived this incident. This is - these cybercriminals have murdered this woman in my opinion. The police contacted the cybercriminals and said, your ransomware has gone into a hospital, not into a university, at which point in time the cybercriminals said, oh, here are the keys - bye. And that was it. 

Dave Bittner: (Laughter) Right, right. They must be wetting themselves. 

Joe Carrigan: Right. 

Dave Bittner: Oh, crap (laughter). 

Joe Carrigan: Yeah. I don't know if the cybercriminals know that they killed somebody, but the German police are investigating the hackers on suspicion of, quote, "negligent manslaughter." 

Dave Bittner: And so unintended consequences is something that got out of hand. 

Joe Carrigan: Yep. 

Dave Bittner: Obviously, they didn't set out to cause anyone's death... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, by direct or indirect action. But that's what happened. 

Joe Carrigan: Absolutely. 

Dave Bittner: I wonder, too, Joe - I mean, what are your thoughts on this? Because, obviously, you work at Johns Hopkins University, which... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Johns Hopkins is also a highly respected hospital. 

Joe Carrigan: It is. 

Dave Bittner: So this sort of thing, I could imagine happening to your home organization. 

Joe Carrigan: Yeah. People try to do it every single day. We have one person who is in charge of the information security for all the organizations outside of the applied physics laboratory. And that is the CISO of the organization, and he is responsible for security at the university and the hospital and all the different schools, as well as Kennedy Krieger. So all these different organizations fall under his purview, and I think that's important to have - is some kind of unified security vision that allows an organization like Hopkins to provide the kind of security and to see the movement of this kind of data around the networks. This particular case in Dusseldorf may not be as clear cut because these two organizations, the university and the hospital, are affiliated but they are not under the same organizational structure, like Johns Hopkins University and Johns Hopkins Hospital are. 

Dave Bittner: Right. Right. Well, I mean, it's certainly a tragic outcome here of - I suppose, you know, people say, with things like ransomware, oh, what's the real harm? 

Joe Carrigan: Yeah. 

Dave Bittner: You know, someone gets their files locked, maybe there's financial loss. Oh, people have insurance and so forth. I think this takes it to another level and points out that even - I mean, in this case, it seems accidental that the ransomware folks, they accidentally hit the wrong target, and as a result of that, directly or indirectly, someone lost their life. 

Joe Carrigan: Yeah. Graham says - at the very end of this, he says, I'd like to think that someone might read about this case and think again about committing an attack. I would like to think that, too. I don't know that this is going to have much impact on ransomware attacks. 

Dave Bittner: Well, and we've seen ransomware folks go directly at health care organizations. 

Joe Carrigan: Absolutely. 

Dave Bittner: That is their target because... 

Joe Carrigan: They've... 

Dave Bittner: And it's because of this sort of thing - because lives are on the line. 

Joe Carrigan: Exactly. We've seen them go after a lot of smaller health care systems, and a lot of times, these guys pay up because the life is more important. 

Dave Bittner: Right. Right. All right. Well, again, this is over on Graham Cluley's website. It's titled "Hospital Patient Dies Following Botched Ransomware Attack." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it's stronger than those bargain brands. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.