Recent email threats to US voters appear to be an Iranian operation. Notes on cyberespionage and influence operations. Hold the “blatant Russophobia,” TASS?
Dave Bittner: Hey, everybody - Dave here. Did you know that the CyberWire is the world's largest B2B cybersecurity podcast network? Each month, our popular programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. More than 80% of our audience are part of the decision-making process at their organizations, and more than 70% reported checking out the sponsors' website after hearing an ad. The CyberWire is one of the best ways to grow your brand, generate leads and fill that sales funnel. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Our podcasts are sold out for this year, but we're now booking 2021 and beyond. Contact us today by visiting thecyberwire.com/sponsors to learn more. And tell them Dave sent you.
Elliott Peltzman: Email election threats to U.S. voters are identified as an Iranian influence operation - disruptive and so more in the Russian style. Both Iran and Russia appear to be preparing direct marketing influence campaigns. Cybercriminals are also exploiting U.S. election news as phishbait. Seedworm is said to be retooling. Caleb Barlow from CynergisTek on contact tracing and privacy as students head back to school. Our guest is Jadee Hanson from Code42 on juggling priorities and protecting her organization as external and internal threats constantly take aim. And TASS deplores the blatant Russophobia of recent Five Eyes official remarks.
Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, sitting in for Dave Bittner, with your CyberWire summary for Thursday, October 22, 2020.
Elliott Peltzman: The U.S. director of national intelligence yesterday said that the threatening emails received by voters in several states were the work of Iranian threat actors. See the AP for a general account. Both KnowBe4 and Proofpoint have published discussions of the emails. The text looked much like that found in sextortion phishing, except that in this case, the threat conveyed was that the attackers knew who the voters were, where they lived and would visit them with violence if they did not vote for President Trump's reelection.
Elliott Peltzman: We asked KnowBe4 when they sent us their analysis if this didn't amount to phishing without phishhooks. KnowBe4's response - quote, "As for CyberWire's question, they're correct. At first glance, this does appear to be a phishing email, as it resembles classic sextortion emails that are now very common. That said, there are no malicious links or attachments and no demands for money. The email mainly demands votes and changes of voter registration," end quote.
Elliott Peltzman: The senders claimed to represent the Proud Boys, a white supremacist fringe group, but that claim was quickly disavowed and debunked. The threat the emails conveyed is also no more credible than the threats conveyed by their sextortion models. The intent appears to have been disruptive. Whatever Tehran takes its interest to be, as Defense One notes, the reelection of President Trump is unlikely in the extreme to figure among them.
Elliott Peltzman: Proofpoint said in response to a question we sent them that they had no direct insight into the party affiliations of the people who received the emails. The emails themselves accused the recipients of being known Democrats. But that, of course, doesn't mean that they were or are. And various news outlets have said that people registered as Republicans or independents or Libertarians or Bread and Roses members or prohibitionists or whatever may well also have received the emails. Republicans and independents, anyways - we're just speculating about the others.
Elliott Peltzman: All this suggests poor aim in what amounts in terms of tactics, techniques and procedures to a direct marketing campaign. The Washington Post quotes the Foreign Policy Research Institute's Clint Watts, whose Twitter feed has an instructive discussion of why, on grounds of sheer argument to best explanation, the operation looks like one of Iran's. It's ill-timed for one thing and runs against the interests of the Trump campaign, whatever the text of the email might say. President Trump is, as we noted above, not exactly flavor of the month in Tehran. Above all, it's sloppy. We can see that. Marketing campaigns for, say, vacation timeshares or Jazzercise franchising opportunities would be better directed, to say nothing of the rifleshot accuracy of association Chrome or Amazon serve up piping hot.
Elliott Peltzman: The Wall Street Journal reports that the director of national intelligence also said that not only Iran but Russia, too, had obtained voter registration data. Such data are, in most U.S. jurisdictions, matters of public record - freely available. And authorities expect to see more use of such information in the final weeks before the election. So of course the claim in the emails that the attackers had penetrated election systems is hooey.
Elliott Peltzman: KnowBe4 added in their reply to our questions, quote, "Moreover, it's worth pointing out that the entire threat in this email turns on the claim to have penetrated election systems, giving whoever is behind these emails the ability to monitor users' election behavior. That's just not a credible claim, as it is simply not believable that a group that had managed to penetrate election systems would be advertising the fact in such a public manner for several weeks before the election. We would expect any group that penetrated those systems to be sophisticated enough to hold their tongues and bide their time, waiting for the opportunity to do real damage come Election Day," end quote.
Elliott Peltzman: The Washington Post characterizes the threat as long expected, quote, "targeting voter confidence rather than ballots and run on the cheap, probably with publicly available data," end quote. As we said, direct marketing but selling fear and mistrust as opposed to sports memorabilia or garden tools or - well, you get the picture.
Elliott Peltzman: Not every election-related activity is espionage, however. There's plenty of opportunity to go around. Reuters reports that Facebook in its latest discussion of the inauthenticity it continues to whack says that criminals in many countries, from Albania to Vietnam - Reuters says alphabetically, since apparently Zimbabwe is cybercrime free - are taking opportunistic advantage of the U.S. elections to stage various criminal campaigns. Many of these will involve phishing, so be on your guard.
Elliott Peltzman: And not every Iranian cyber-espionage effort is devoted to impersonating the Proud Boys either. Symantec has an update on the activities of MuddyWater, the Iranian threat group also known as Seedworm. The researchers say that Seedworm is retooling and has brought the PowGoop tool into its arsenal. Seedworm's targets are regional rivals - Iraq, Turkey, Kuwait, UAE and Georgia.
Elliott Peltzman: TASS is authorized to disclose that accusations of misconduct in cyberspace leveled against the Russian government in general and the GRU in particular are not only baseless but amount to blatant Russophobia. They're talking about the U.S. indictment of the six GRU officers and the British denunciation of that same GRU for a wide range of offenses, ranging from hacking Olympic Games to murdering people with nerve agent. But TASS says it's all a bum rap and regrettable and people shouldn't make such accusations and so on, says TASS, all you Russophobes, you.
Elliott Peltzman: In a year full of surprises, there's a lot on the minds of CISOs. Let's hear now from Code42's CISO Jadee Hanson. She sat down with Dave recently to talk about juggling priorities and protecting her organization as external and internal threats constantly take aim.
Jadee Hanson: I think it's really important to remember that our mandate as security professionals hasn't changed. Our job is to protect the company in whatever circumstances we're in. And I also think it's really important that we remember to stick to the strategies and the plans and the maturity programs that we have in place. You know, the one thing that we do have to account for is a shifting landscape. And so, you know, we need to stick to our strategies. But at the same sense, like, we need to bring in kind of shifting landscapes. So maybe that's a different type of attack vector one quarter, and maybe that's everybody's working from home another quarter.
Jadee Hanson: I think as we look to 2021, one of the things that we're going to continue to be challenged with is just, how do we make sure to stick to our strategy in this new work-from-anywhere methodology? I don't anticipate that changing anytime soon. And so what - for me, one of the things I think about is just, how do I maintain the right level of visibility to everybody that is sitting in their home office? You know, in the old world, we relied on networks and people in the office. Now our networks span to everybody's homes. And we need to make sure that in 2021, we're really thinking through, how do we enable that? How do we have the right tech in place and the right visibility in place to enable that? And so I think some of the shift in '21 is going to be where we rethink the endpoint. We get away from anything network. And we think about, how do we have the right visibility on the end point to continue to secure the companies that we work for?
Dave Bittner: You know, based on your experience, looking forward - you know, I'm thinking of advice to other CISOs out there as they're trying to make their plans for the coming months and into 2021. Any advice, any tips or guidance for best practices and what people should be aiming their sights on?
Jadee Hanson: Yeah, a couple of things. One, I'm kind of going back to what I said earlier. I really think that this shift away from the network is something that we have to embrace. We got to think about, what is the technology that we need on the end point to have the right visibility and the right security controls? So that would be one.
Jadee Hanson: The other thing that I would recommend, too, is to really think about, like, how we need to collaborate in this work-from-home world and how the security team can really support that. Yes, we need to protect our data. Yes, we need to make sure that we're not - no one's exfiltrating data. But at the same sense, like, we have to support the collaboration that needs to happen. And, you know, now more than ever, we need technology that allows collaboration from team to team. And so thinking through, in 2021, how do you do that? How do you do that in a safe way? And then finally, just - really, that focus on employees. So as you think about 2021, like, what do our employees need? What's the culture that you need to drive as part of the organization? It can't be the same as, you know, the safety that everybody felt in the office prior to pandemic. We need to think about this differently.
Elliott Peltzman: That's Jadee Hanson from Code42.
Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. You know, I wanted to touch base with you. As kids are considering going back to universities, some places are going back to schools and we're also talking about contact-tracing apps and all that sort of stuff, I mean, this is a lot of information that's being shared. And there are some privacy implications here. And I know that's something that you've been thinking about.
Caleb Barlow: Well, the first thing to recognize in this, Dave, is that there's a little bit of a public health cyberwar game going on here in that the winners and losers and the pace of recovery for the U.S. as well as across the globe will, in a lot of ways, be determined based on who has access to data, access to vaccines, access to information on treatments. So there's a lot of froth, let's say, in the nation-state world to get access to this type of data.
Caleb Barlow: But now if we also look at, well, what are people gathering in contact tracing? And, you know, I recently looked at, you know, the surveillance program that some of these universities are putting in place. And they even, interestingly enough, use the word surveillance testing. They're doing things like wastewater testing because that's one of the early ways you can identify COVID. Students have to agree to random tests at any point in time. They're going to have to, you know, kind of get marched off and go get a COVID test. In a lot of cases, they're checking into their dorm room, to the cafeteria, to various classrooms, scanning a QR code. And of course, every security professional hears the word QR code starts to cringe because we all know you can embed, you know, applications in a QR code, right?
Caleb Barlow: But what - here's where it gets even more interesting, is some of these schools are even saying, hey, look. You know, we've got this wireless network. We're going to track where you move based on the Wi-Fi hotspots, and we're going to maybe even put a application on your phone. But don't worry. We're all going to put it in a FERPA database, and it'll all be safe. And look; this isn't just universities. This is also employers. In some cases, employers are using, you know, ultrawide-band employee - badges to track where you are in a facility and who you get near.
Caleb Barlow: But here's the big thing that this has that we've never had before in kind of our private data stream. Like, we've all lost our health care data at this point. We've all lost a whole lot of personal information, location data and all that stuff, you know, either from being stolen or from advertisers using it. But the one big thing that we've never really had to tackle with before is, who are we associated with? And all of that is now in this data. And that's not just who I went to class with. That's who I'm dating. That's who I'm married to. That's maybe who I'm having an affair with, right? All of that is now in this contact-tracing data.
Dave Bittner: Well, so where's the balance there? I mean, if these efforts are being conducted in good faith for good reason in the middle of a global pandemic, how do we strike that balance?
Caleb Barlow: Well, I think that's actually easy. There's no question we need to do this, right? I think any health care professional is going to look at this and say, yes, this is something we really do need to do. But there's two things we need to do with it. One, when do we stop doing it? And we need to think about that before we start doing it, right? When is the point where we back away from collecting this data? What are the - what do we do with the data when we're done with it, after the has passed? And I think the third thing we've got to think about is, as fast as we're rallying to get kids back to school, to get people back to work, every security professional needs to be standing up and saying, OK, this is a new risk, a new vulnerability - not on my watch. How am I going to rally just as fast to lock this data down and control it so it can't be stolen and inadvertently used? And look; if we all respond to that rallying cry, then we're going to get through this together. The mistake will be if the security teams don't go in right behind them and lock this data down.
Dave Bittner: All right. Caleb Barlow, thanks for joining us.
Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe - and also our bedrooms - where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Dave Bittner. And I'm Elliott Peltzman. Thanks for listening.