The CyberWire Daily Podcast 10.8.20
Ep 1190 | 10.8.20

Bahamut’s hackers-for-hire. SlothfulMedia looks made-in-China. Domains run by IRGC seized. Phishbait uses current events as chum. Who dunnit? Not us, or rather, prove it, says Moscow.


Dave Bittner: Add the Bahamut cyber mercenaries to the shadow armies for hire in cyberspace. Reports associate the SlothfulMedia RAT with Chinese intelligence services. The U.S. takes down domains the Islamic Revolutionary Guard Corps uses to push disinformation. Trends in phishbait. Caleb Barlow rethinks a TED Talk he gave a while back, given what we've learned from COVID-19. Our guest is Dr. Greg Rattray from Next Peak on advanced persistent threats, a term, by the way, that he coined. And Moscow says, hey, we don't meddle in anyone's elections.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 8, 2020. 

Dave Bittner: BlackBerry yesterday published its research into the activities of Bahamut, a threat group regarded as a mercenary operation, unusually sophisticated and patient. Its customers - or true sponsors, as BlackBerry calls them - remain unknown. It's engaged in cyber-espionage and disinformation, and its operations are marked by extensive reconnaissance, concentration on particular targets and attention to detail. It prefers phishing to malware, but it shows unusual savvy with respect to zero-days when it decides to deploy those. 

Dave Bittner: The attention to detail shows up, for example, in the apps and websites Bahamut devises. In an underworld where goons can scarcely be bothered to care little about spelling, still less about idiomatic control and not at all about the legal folly-swaddles in which the squares and flats ensconce their commerce, Bahamut's stuff comes complete with, as BlackBerry puts it, well-designed websites, privacy policies and written terms of service. Not only do these provide the corroborative detail that lends verisimilitude to what would otherwise be a bald and unconvincing narrative, but that verisimilitude also helps Bahamut pass through safeguards both Google and Apple have in place. Big Tech's walled gardens are as open to Bahamut's wares as a locked door is to a ghost. The group is most active in the Middle East and South Asia. 

Dave Bittner: Given their patience and sophistication so unusual in the shortsighted, get-it-now underworld of the typical cybercriminal, why do BlackBerry and others not read Bahamut as just a nation-state's espionage service? The techniques convincingly suggest a single actor, but BlackBerry says the lack of discernible pattern or unifying motive moved BlackBerry to confirm the group is likely acting as hack-for-hire mercenaries. 

Dave Bittner: BlackBerry sees Bahamut as a leading example of the outsourcing of cyber-espionage and disinformation, attractive not only for its capabilities but also for the deniability it brings. Bellingcat began to take notice of Bahamut in 2017 as the actor behind a series of spear-phishing emails in English and Farsi directed to human rights activists in the Middle East. So the group is not a new one. CyberScoop, in its account of BlackBerry's research, offers a review of other mercenary actors, but Bahamut really does seem to set the standard. 

Dave Bittner: CyberScoop has a follow-up to earlier warnings by the U.S. Department of Homeland Security's Cyber Security and Infrastructure Security Agency and U.S. Cyber Command's Cyber National Mission Force. Last week's warnings concerned SlothfulMedia, a remote access Trojan - that is a RAT - used in cyber-espionage campaigns. CyberScoop reports that sources in the U.S. government have told it on background that SlothfulMedia is indeed associated with the Chinese government. It's been used against both India and Russia, and the U.S. officials who spoke with CyberScoop are particularly interested in seeing it become generally known that Beijing is actively and aggressively spying on Moscow. The enemy of my enemy isn't really my friend, but on the other hand, it is my enemy's enemy. 

Dave Bittner: The U.S. Justice Department last night announced the seizure of 92 domain names that Iran's Islamic Revolutionary Guard Corps, the IRGC, had been using in global disinformation campaigns. The domains were used to create fake persona, misrepresenting themselves as independent news services. Four of the domains hosted bogus news outlets the IRGC used in attempts to influence U.S. foreign and domestic policy. 

Dave Bittner: So that's just the IRGC putting its opinions forward, one might say. Is that a crime? Well, actually, in this form, yes. Specifically, it's a violation of the Foreign Agents Registration Act. So it's the imposture that's the crime, not necessarily the content. The other 88 domains taken in the seizure hosted equally phony news services that went after audiences in Western Europe, the Middle East and Southeast Asia. 

Dave Bittner: Justice credits Google with alerting them to the campaign, citing it as a good instance of public-private cooperation. The takedown itself was a cooperative effort of the FBI, Google, Twitter and Facebook. The FBI special agent in charge who directed the bureau's part of the operation said, quote, "this case is a perfect example of why the FBI's San Francisco division prioritizes maintaining an ongoing relationship with a variety of social media and technology companies. These relationships enable a quick exchange of information to better protect against threats to the nation's security and our democratic processes," end quote. 

Dave Bittner: But what does it look like when a domain is seized? Well, it looks like this. Should you navigate over to any of the sites the bureau took down, you'll see a page with the headline, "This Website Has Been Seized." The explanation below the screamer and above the seals of the Department of Justice and FBI says, this domain has been seized by the Federal Bureau of Investigation pursuant to a seizure warrant issued by the United States District Court for the Northern District of California under the authority of 18 USC 981(b) as part of a coordinated enforcement action by the United States attorney for the Northern District of California and the Federal Bureau of Investigation. So there. 

Dave Bittner: And finally, TASS is authorized to disclose that accusations of Russia's interference in foreign elections are groundless, baseless and without foundation. That's not necessarily the same thing as false, so call it a see-them-and-call nondenial denial. 

Dave Bittner: It is not often when conducting an interview for our show that I am stopped in my tracks with a - I'm sorry. Wait. What? But that's what happened when I was chatting with Dr. Greg Rattray, co-founder and CEO at cyber advisory and operational services firm Next Peak, when in the midst of our conversation about APTs - advanced persistent threats - he offhandedly - and might I add, quite modestly - mentioned that he was, in fact, responsible for coining the term. 

Greg Rattray: At the time, I was the head of what's called the operations group of what was then the Information Operations Center, Information Warfare Center. And, you know, we had been experiencing what at that time was treated as very sensitive information - no longer sensitive that the Chinese conduct cyber-espionage, but at the time, sensitive. And we had become increasingly concerned about the risk not only to Air Force systems or DoD systems but to the defense industrial base. And a particular incident, which I'm probably not at liberty to go into the specifics of, had really caught the attention of the leadership in a decision made to bring in people from a lot of our primary Air Force contractors to talk to them about the nature of the cybersecurity concerns we had and we thought that they would have, too. And we wanted to do that in an unclassified fashion with the CSOs and the CIOs of these companies. 

Greg Rattray: So it led to, you know, preparing a presentation. And in order to characterize what was different than what we thought they might be dealing with, which they thought they were just dealing with one-off hacking incidents but that we felt like we had an adversary that was conducting long-term, focused - you know, now we call cyber operations but, you know - penetration operations. We decided and we coined the term - or I coined the term advanced persistent threat, really, just to create a construct for a conversation about what was different and of the nature of what we were experiencing now from these sort of one-off hacking incidents. 

Dave Bittner: And I guess the term stuck, and it really kind of took off from there. 

Greg Rattray: Yeah. I think the way it sort of took root was, as you may well know, there was a concerted effort, really, from that point forward to partner with industry. That was an Air Force term which turned into a DoD-wide effort to partner with the defense industrial base, which still, you know, is a major element of DoD, you know, relationships with its contractors. 

Greg Rattray: And, you know, in those conversations, we sort of went to this sort of introductory conversation we had had and kept using that terminology, APT, right? And they know. And it sort of got out, I think, that the collaboration was there, and people started to report on it. And in the conversations, people kept using that term. So I think it was sort of through those origins that the term took root in the dialogue first sort of internal to the DoD partnerships with its industry but then more broadly in the cybersecurity. This evolution of the APT is sort of what we need to understand now and not use it too narrowly. 

Dave Bittner: That's Dr. Greg Rattray from Next Peak. 

Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. I wanted to touch base with you. You know, a while back, you gave a TED Talk that had to do with large-scale cyber events. And you and I were talking recently about how recent events have made you sort of look back and think about maybe if you had to do some updates on some of your conclusions from back then. Can you share your line of thought with us? 

Caleb Barlow: Oh, boy, Dave. Well, what I said in this TED Talk was that, hey, the way we need to respond to a large-scale cybersecurity incident - like, let's take a NotPetya-level incident - was that we needed to think about it like how you'd respond to a pandemic, you know. Governments and private institutions would get together and would really rally around the cure and would share information openly and widely, and that's what we needed to do more of in the cybersecurity industry. Well, that TED Talk got a ton of listens and a lot of kudos for that kind of thinking. But, of course, now we have a pandemic and... 

Dave Bittner: Right. 

Caleb Barlow: ...It's not going so hot. 

Dave Bittner: (Laughter). 

Caleb Barlow: In fact, I'm kind of looking at it, Dave, going, maybe we need to rethink that thesis. So I started really thinking about this and kind of flipped it upside down and backwards and said, OK, well, there's some things that aren't working in the pandemic. Could we learn things from that that could inform how we respond to a cyberattack of significance that's global in nature? You know, again, take a NotPetya-level event that goes on not for days but for many days, right? And the first thing we have to realize is the internet now is the critical infrastructure. It's how we educate our children, literally right now, at least in my household. It's how we go to work. It's how we make money. It's how we educate ourselves. It's how we shop. It can't go down, right? So it trumps all other critical infrastructures. 

Caleb Barlow: And, you know, if we think of a COVID-19 response, well, it requires a whole-of-nation response, as well as you need multiple nations to get together to rally around a problem. And you probably also need the private sector. Well, one of the first things we can learn that we've got to figure out in our planning is, who the heck is in charge, right? I mean, we're seeing arguments at the state and local level in this. We're seeing arguments and even competition between countries as we look for a cure. Now's the time as cybersecurity professionals to say, hey, if this happens on our security watch, we've got to figure this out ahead of time. And all the more important to, you know, join your local InfraGard chapter and connect with law enforcement, build those relationships with government entities and, you know, really lean into the ISACs more than we've ever thought of before to build that connective tissue. But we're going to have to think about at the governmental level, who is in charge? Because if we don't know who's in charge, then everybody goes off kind of doing their own thing. And we're frankly seeing a lot of that in the response to this pandemic. 

Dave Bittner: I can't help wondering, I mean, is part of this process making it so that the process itself is independent of the leadership skills - or lack thereof - whoever may be in charge at the time? Because as we've seen, certainly globally, there's been a wide spectrum of responses from different nations, and a lot of that has been coming from whoever is at the top. 

Caleb Barlow: Well, one of the things you learn about with you think about any form of crisis response - so whether we're - and we've talked about this on this show before, right? Whether we're talking about crisis response that's used in fire and EMS or the military, the first principle in most of those doctrines is you work the problem with who's in the room and who is the most skilled, not who has the highest-level title, right? So - and this is the difference, I think, between a lot of business decision-making and crisis decision-making. You want the decision to be made quickly, you want it to be made with people that have high skills. And you want to be able to change the decision if you're going down the wrong course and new evidence leads you a different direction. 

Caleb Barlow: So probably the first thing we have to recognize is that a lot of the decision-making we need to make in a large-scale cybersecurity incident probably isn't held with governors and, you know, the executive branch of the United States government. It's probably held in private sector enterprises. It's probably held in ISACs, where people can be both better informed of what's actually happening. But also, you've got security professionals making some of those decisions. And that's a gigantic shift from how we think about your typical emergency response today. 

Dave Bittner: So should we be looking at some sort of, you know, global tabletop exercise? 

Caleb Barlow: Well, it's not a totally bad idea, especially if the exercise extends into both the public and private sector. There's some other things we've learned in this crisis, though, that we've got to figure out. It isn't just sitting down and laying out our run books. Like, how are we going to counter disinformation? Now, this is something as a security professional I have never really thought about before. But one of the things this pandemic taught us is that we're going to have to have very robust tools, not only to communicate with each other when the internet is potentially down, which, by the way, is not easy. But also, we're going to have to make sure we can communicate at levels of trust and counter-disinformation that may be coming from other governments, from the bad guys, from here, there and everywhere. And that's something I don't think is in anybody's run book today. 

Dave Bittner: Yeah. I mean, it's fascinating the lessons that we've learned here, isn't it? 

Caleb Barlow: It really is, but here's the thing. Let's not let the crisis go to waste, and let's see what we can learn from it. 

Dave Bittner: Yeah. Yeah. All right. Well, Caleb Barlow, thanks for joining us. 

Caleb Barlow: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, it'll keep you informed, and it takes a licking and keeps on ticking. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.