The CyberWire Daily Podcast 10.19.20
Ep 1196 | 10.19.20

Influence operations and cyber probes of presidential campaigns. TrickBot’s recovery. Remote learning woes. Port facilities in Iran reported to have been targeted in cyberattacks.


Dave Bittner: Updates on influence ops and campaign hacking show that the opposition has its troubles, too. TrickBot operators seem to have returned to business. Schools' remote learning programs are providing attractive targets for cybercriminals. Iranian news outlets say ports were the target of last week's cyberattacks. David Dufour explains how phishing campaigns capitalized on a global crisis. And Charlie Tibor says, hello, world - we paraphrase.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 19, 2020. 

Dave Bittner: In news that just broke this afternoon, the U.S. Justice Department announced the unsealing of an indictment against six Russian GRU officers belonging to Unit 74455, a group known as Sandworm. 

Dave Bittner: In the present indictment, the Justice Department notes that while it indicted members of the Sandworm unit for election-related attacks, in this case they're being called out for actions related to the disruption of Ukraine's power grid and the subsequent NotPetya destructive attack that spilled far beyond Ukraine. NotPetya had worldwide effects, shutting down companies and causing immense harm. The Justice announcement points out that for three U.S. victims, damages exceeded a billion dollars and that, globally, the transportation and healthcare sectors were especially targeted. 

Dave Bittner: Justice is particularly hard on the Sandworm team and calls the conspirators' actions on the part of the Russian government as irresponsible, more like the activities of a petulant child than a responsible government. The indictment, Justice says, lays bare Russia's activities to disrupt the internal politics of other countries. 

Dave Bittner: Cisco's Talos Group, Facebook, Twitter and Google were thanked, as are Five Eyes partners for their cooperation in the investigation. The indictments were issued by a federal grand jury in Pittsburgh, where the U.S. attorney for the western district of Pennsylvania and the FBI's Pittsburgh field office led the investigation. This is a developing story. We'll follow up on it as more news emerges. 

Dave Bittner: There are a number of follow-ups to earlier stories today. 

Dave Bittner: Late Friday, Google published an update on what it's observed of foreign intelligence services activities against U.S. political campaigns. Over the summer, Google's Threat Analysis Group monitored attempts by Iran's APT35 - also known as Charming Kitten - and Iran's APT31, or Judgment Panda, to compromise email accounts belonging to staffers at both the Trump and Biden presidential campaigns. The attacks were carried out by phishing. Google says it saw no signs that the attacks were successful. 

Dave Bittner: The Threat Analysis Group also observed Spammy, clumsily executed attempts at influence operations directed against U.S. audiences by inauthentic networks run from China. 

Dave Bittner: Quote, "this network has a presence across multiple platforms and acts by primarily acquiring or hijacking existing accounts and posting spammy content." There's that word, Spammy. And Google adds that the content was in Mandarin and featured the usual internet geegaws of such clickbait as videos of animals, music, food, plants, sports and games. 

Dave Bittner: Google went on to say that, quote, "a small fraction of these spam channels will then post videos about current events. Such videos frequently feature clumsy translations and computer-generated voices. Researchers at Graphika and FireEye have detailed how this network behaves, including its shift from posting content in Mandarin about issues related to Hong Kong and China's response to COVID-19 to include a small subset of content in English and Mandarin about current events in the U.S., such as protests about racial justice, the wildfires on the West Coast and the U.S. response to COVID-19," end quote. 

Dave Bittner: Most of these were carried out over YouTube, marred by clumsy machine translation and ineffectual execution. It's worth remembering that the opposition isn't always 10 feet tall - that's 3 meters and a few baker's dozen of millimeters for those living in, well, basically anywhere but here in the U.S. of A. That's not a council of relaxed vigilance - just a realistic appraisal that the opposition has its problems, too. 

Dave Bittner: CrowdStrike has a dispiriting follow-up to the recent public-private interference with the TrickBot gang. The disruption that interference caused seems to have been quick and sharp, but unfortunately, the TrickBot gang - Wizard Spider in CrowdStrike's threat menagerie - seems to have recovered faster than anyone would have wished. Their BazarLoader Trojan's distribution is rising, and the rates of Conti and Ryuk infestations seem to have returned to their normal levels. No one expected the takedowns to amount to more than a temporary disruption, but unfortunately that disruption has proved more temporary than hoped. 

Dave Bittner: BleepingComputer reports that TrickBot operators have begun using the legitimate project management solution BaseCamp to host the Trojan BazarLoader with the ultimate goal of installing Ryuk ransomware. Researchers at the security firm Cyjax made the point that insinuating a loader into a legitimate service increases the likelihood that defenses will interpret the malicious code as benign and pass it through to its targets. 

Dave Bittner: Schools, forced by the COVID-19 pandemic to operate online with large, often poorly protected attack surfaces, continue to attract the attention of cybercriminals, The Wall Street Journal says. For many individual schools and school districts, the general shift to online virtual learning has itself represented an improvisation. Its terra incognita for students, faculty, administrators and, we might add, parents. 

Dave Bittner: Under these circumstances, attacks have ranged from prank-level denial-of-service escapades by students interested in doing even less to full-scale ransomware attacks. The criminal extortion is at once more serious and more widespread. Where availability is at a premium, as it is with schools, the ransomware threat bites harder. 

Dave Bittner: Iran's Ports and Maritime Organization reported that last week's cyberattacks against the country targeted ports but were unsuccessful. Port Strategy reports that no other details have been forthcoming. 

Dave Bittner: And, finally, in a CyberWire exclusive, we are authorized to disclose the arrival, on or about 9 o'clock Friday morning, of Charlie Tibor Komaromy, the new son of our colleague, producer Kelsea Bond. The tale of the tape puts Charlie at 6 pounds, 1 ounce and 20.6 inches long. The pictures of him look great. And our maternity desk tells us that the hat he's wearing was a gift, that he did not arrive with it on his head. So congratulations to Kelsea and Steve. Looking ahead, listeners, please block out some internship opportunities in your organization for Charlie in 2036 - we think he's going to be precocious. And share the young family's joy; all of us at the CyberWire do. 

Dave Bittner: And I am joined once again by Rick Howard. He is the chief security officer and chief analyst here at the CyberWire. Rick, I got to say, I'm a little jealous. 

Rick Howard: (Laughter). 

Dave Bittner: You recently had the opportunity to sit down with one of our favorite authors. What can you tell us about that? 

Rick Howard: Yes, I got to interview David Sanger again. OK, he is the noted New York Times journalist, three-peat Pulitzer Prize winner. And doesn't that make you... 

Dave Bittner: But who's counting? (Laughter). 

Rick Howard: Yeah. I'm feeling a little bit inadequate at this point. 

Dave Bittner: Right. Right. He's got a shelf full. 


Rick Howard: I can barely tie my shoes in the morning (laughter). He is an author, and now he's a producer of an HBO documentary about his most recent book, "The Perfect Weapon: How the Cyber Arms Race Set the World Afire." The documentary starts streaming on 16 October at 8 p.m. on HBO and HBO Max. And I highly recommend it. I've seen it twice now. 

Dave Bittner: Now, my recollection is that you and I are on the same page here. We both really enjoyed that book. Where does it fit into your collection of, you know, the great cybersecurity books? 

Rick Howard: Yeah, you're right. You and I love talking about that. And, you know, for years that - if anybody ever asked me about what is the one book they should read to get a sense of the cybersecurity community, I would always recommend an old favorite, "The Cuckoo's Egg," by Dr. Clifford Stoll - a favorite by everybody. He published it in the late '80s. That book convinced a lot of people to pursue cybersecurity as a career in the early days, including me. All right? But if there is any book that could potentially knock "Cuckoo's Egg" off that lofty perch, it is Sanger's "Perfect Weapon." 

Dave Bittner: Wow. All right. Well, it doesn't get much more of praise than that. 

Rick Howard: (Laughter). 

Dave Bittner: Well, for you, what are the takeaways? I mean, we have the book and now also the documentary. What were the take-homes for you? 

Rick Howard: Well, Sanger has captured completely - all right? - the seminal paradigm shift in thinking by nation-states around the world in the last decade from cyber just being a novelty item with limited capability and use to cyber being a strategic tentpole lever as an instrument of political power and influence. 

Rick Howard: Before 2010, most nation-states, including the U.S., thought about cyber as a novel tool for a subset of cyber-espionage requirements. But today, though, cyber has become the political lever to pull for nation-states like China, Russia and the U.S. that are just short of actual warfare. These nations can do extreme damage to each other in the cyber arena without the fear that they - the action will escalate to a shooting war. And then, for smaller nations like North Korea and Iran, cyber has become the great playing-field leveler. These smaller nations can exact the same kinds of damage as the big boys now at a fraction of the cost compared to trying to match, you know, U.S. numbers of tanks, aircraft carriers and jets. 

Rick Howard: Sanger's book and now his documentary captures this paradigm shift perfectly. Here's David, after I interviewed him, explaining the book and the documentary. 

David Sanger: Well, Rick, the concept behind the book was that we went through years in which, in the national security world, people viewed cyber as the sort of interesting side, irregular warfare kind of thing that, you know, was sort of a nice thing to spend a half an hour learning about while you were spending the year or two years or your career learning about traditional national security. 

David Sanger: And what have we discovered in the time since? That it's not the sideshow; it is the show - that in a world in which no one wants to take on the U.S. military directly, for all the understandable reasons, it is suddenly possible to undercut American power or another adversary's power by using a short-of-war cyber-related weapon, whether it - you are hacking into infrastructure, dams, voting machines, electric power grids, a financial system, or whether you're hacking into minds, the information wars that we've seen surrounding the 2016 election and begun to see in 2020, although here in the 2020 election, as we'll discuss, we've got some new concerns that go beyond what the Russians did four years ago. 

David Sanger: So we brought it sort of up to date. You'll see a lot of different people talking about what it's like to have been on the receiving end of this and the sort of fog of war. You've got everyone in this documentary from Hillary Clinton and John Podesta, who sat down to talk about the 2016 election, to Seth Rogen, who was the star of, of course, "The Interview." And he is very funny, I do have to say. 

David Sanger: And you'll see people like Eric Rosenbach, co-director of Harvard's Belfer Center but was the chief of staff to Ash Carter at the Pentagon when he was secretary of defense, talking about the calculus that you make as you're under cyberattack or as you're trying to think about what the U.S. can go do. So the idea is to bring you in at a very human level to the kind of decisions that have to be made when you're on the receiving end and when you're on the offensive end. 

Dave Bittner: You know, Rick, one thing about the book - I mean, obviously, extremely well written by David Sanger, but one other thing that I remember as I was going through it was this is one of those books where I had to pause every now and then... 

Rick Howard: (Laughter). 

Dave Bittner: ...And go back and reread a paragraph, and part of that is that this book is so packed with information. How do you convert that to a documentary? How do you distill it down to something when you don't have the amount of time that you have in a book and, also, I mean, it's a different medium? 

Rick Howard: Yeah. You know, I took - I don't know. I had maybe 20 pages of notes when I went through that book the first time. That's how much information is in it. But I would say that the documentary finds a nice throughline of the book's material. They don't go through everything, of course, but they pick the highlights. 

Rick Howard: They start off with Stuxnet in 2010, which is arguably the beginning of this new kind of thinking, when the U.S. and Israel decided to use cyber as a way to delay the Iranian nuclear program. They moved to the Iranians' attack on the Sands Casino in 2014, demonstrating that a small nation can devastate a mini-city because most people don't realize that, you know, casinos are many cities. Besides the gambling, they have all that, you know, admin stuff they got to do. 

Rick Howard: And then from there, they covered the North Korean attacks on Sony, showing that a small country could prevent a major U.S. corporation from doing what they wanted to do, namely showing a crappy movie in theaters. They pretty much stopped that, right? 


Dave Bittner: Right. 

Rick Howard: And then, finally, they switched to the Russians, one of the big boys, and their cyberattacks against the Democratic National Committee and their subsequent influence operations on the U.S. election. They talk a lot about how the Russians used Ukraine as a Petri dish to test their operations with the big malware operation of NotPetya. 

Dave Bittner: Yeah, well, I'm on board with you here. This is definitely one to check out. The documentary starts streaming on October 16 at 8:00 p.m. Eastern Time on HBO and HBO Max. You can listen to Rick's full interview with David Sanger about the book and the documentary. That'll be up later this week on CyberWire Pro. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is David Dufour. He's the VP of engineering at Webroot. David, it's always great to have you back. I know you and your team recently published a report that was about phishing and how things have changed during our global pandemic. What can you share with us today? 

David Dufour: Hey, David. Great to be back, as always. Yeah, we typically do an annual threat report. But this year, with everything going on in the world, we decided we might want to do a mid-year, you know, temperature check just to see how things are going. And phishing came to the top. 

Dave Bittner: (Laughter). 

David Dufour: You know, we were focused on COVID and working from home, and it was all about phishing. 

Dave Bittner: So what sort of things did you find here? 

David Dufour: Well, if you can believe it or not - and I'm not talking about malicious email; I'm talking about email in general - we saw 34% increase in the amount of email people were getting. And I thought a year ago I was getting a lot of email, but a third more now is - it's just crazy how we're getting inundated. 

David Dufour: And so, of course, inside of those - of that increase, we're seeing a huge uptick in the phishing campaigns that are being put on through COVID, you know, people wanting to get their stimulus check and telling you how you can get it quicker, you know, these types of things. We're really starting to see a lot of threats around that. 

Dave Bittner: Well, with the increase in email, what kind of stuff are we seeing hitting our inbox? 

David Dufour: Well, I think none of this will be surprising, but it's just kind of critical to bring up so people are keeping it top of mind. A lot of things are - hey, make a donation or, you know, click here, click this link to be able to donate to help COVID survivors or things of that nature. Or maybe - hey, you want to get your stimulus check quicker, click this link and give us your account information, and we'll get your stimulus check deposited in, you know, a few minutes. None of that is true. You know how that works, David. 

Dave Bittner: Yeah. 

David Dufour: They're just trying to get you to click that link. 

Dave Bittner: Is the educational message getting around? I mean, are people knowing to not click on these things? 

David Dufour: Well, absolutely they are. And that actually impressed us quite a bit, that people are aware that they shouldn't be clicking phishing links. People are very knowledgeable about what phishing is. 

David Dufour: The problem that we're seeing is kind of twofold. One - people are getting inundated with emails from colleagues or, you know, customers even, where it may be coming from their personal account, it may be coming from their business account because everyone's working at home, so they're getting a lot of email from unfamiliar places, and some of it's legitimate for them to do their job. 

David Dufour: And the other big issue is you're at home with little Susie or little Johnny from school and you're trying to make them lunch and you're trying to answer emails and you're trying to respond to your boss, and so there's also a distraction factor, where people aren't as focused on what they're reading and they're more apt to click as well. 

Dave Bittner: So what are the take-homes here? I mean, are there technical solutions? Is this a training issue? Or is - a little mix of both? 

David Dufour: Well, I think it's a little mix of both. I think everyone has fully accepted that every employee is now front-line IT support because we're not sitting in an office. So there is an education component. 

David Dufour: And that - the refreshing thing - and you and I have talked about this many times on the show. The security industry has realized that the user's not as dumb as we want to make them out to be. People really want to do the right thing. If we can educate them - like I said, most people know what phishing is. We just got to keep it top of mind and in their brain to be aware of it. 

David Dufour: But on top of that, the thing that people really need to be doing is slowing down and taking the time to read what's going on. And if you're in a busy spot, maybe don't answer your email. Set aside some time when you can do it thoughtfully. 

Dave Bittner: I guess part of that's a leadership thing, too - making sure that your team knows that you want them to take time looking at those emails, you know, deciding whether they're legit or not. Slow down. Don't rush. We're going to give you - provide you with the time to do this. 

David Dufour: That's exactly right. And it's also - to take a, you know, example out of the government playbook, you know, the IRS is never going to send you an email saying, click this link and give me your bank account information. 

David Dufour: So to your point, David, you know, management of the company of people working from home should be like, look; if it's urgent, I'll give you a call. If it's in an email, you know, get to it when you can. Just stay focused on the work you're doing. And if there's a little bit of a distraction, that's OK. 

David Dufour: And to your point, we need to make that clear to our employees - that, you know, we'll get ahold of you some other way. Still, don't click the link. Email is not going to be the urgent - everything's on fire, drop everything you're doing and tell me your bank account information. 

Dave Bittner: Right. Right. All right, interesting information. David Dufour, thanks for joining us. 

David Dufour: Great being here, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. You deserve a break today. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.