The CyberWire Daily Podcast 6.14.16
Ep 120 | 6.14.16

Run DNC. Online inspiration and the limits of investigation. North Korean cyber ops.


Dave Bittner: [00:00:03:23] Russians hack the Democratic National Committee, investigation continues into apparent jihadist inspiration behind the Orlando nightclub massacre. North Korea appears to have engaged in a long-running campaign of cyber espionage against the South. The Molerats' failure to clear document information may have unmasked them. Vawtrak improves its game, but continues to be distributed via malicious macros.

Dave Bittner: [00:00:26:10] Shadow apps place enterprises at risk, and application collusion is a problem for mobile users. The Angler exploit kit seems to have practically vanished, replaced by Neutrino. Symantec's acquisition of Blue Coat fuels M&A speculation, and the price of the Window LPE zero-day keeps dropping.

Dave Bittner: [00:00:51:01] Once again, I want to mention one of our sponsors, E8, and ask that question once again: do you fear the unknown? Lots of people do, of course. Ghosts, poltergeists, stuff like that. But we're not talking about those, we're talking about real threats: unknown unknowns lurking in your network. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to, and download their free white paper, “Detect, Hunt, Respond.”

Dave Bittner: [00:01:23:07] It describes a fresh approach to the old problem of recognizing and containing a threat no one's ever seen before. The known unknowns, like mermaids and hobbits, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them: Check it out.

Dave Bittner: [00:01:49:16] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, June 14th, 2016. In news that began breaking shortly before noon today, the Democratic National Committee says that it has been hacked by Russian intelligence services. The spies have been in their network since last summer. The DNC noticed signs of trouble in late April of this year, and eventually hired security company CrowdStrike to investigate and remediate the intrusion.

Dave Bittner: [00:02:14:16] DNC chair Debbie Wasserman Schultz, a representative from Florida, said as quoted in the Washington Post, "The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with. When we discovered the intrusion, we treated this like the serious incident it is, and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network."

Dave Bittner: [00:02:38:12] CrowdStrike is said to have found two threat groups in the DNC's network, which they're calling "Cozy Bear" and "Fancy Bear." Cozy Bear, possibly an FSB operation - that is, the descendant of the KGB - that's the one that's been monitoring DNC email and chat since last summer. Fancy Bear, also Russian, and in CrowdStrike's view clearly GRU, which is to say military intelligence, is the one that tripped the alarm when it arrived this April.

Dave Bittner: [00:03:05:03] Fancy Bear is said to have stolen documents and to have obtained access to the systems used by the DNC's entire research staff. That research prominently includes opposition research on presumptive Republican nominee Donald Trump, and this is the compromise that's attracting press attention.

Dave Bittner: [00:03:21:19] How the attackers got in is unknown. CrowdStrike cautiously speculates that it was spear phishing. We spoke to STEALTHbits Technology's Adam Laub. He offered this perspective.

Adam Laub: [00:03:32:09] The interesting part about it is it seems that the Russian hackers themselves hadn't been the ones rattling around inside the DNC. It was really their monitoring of somebody else who had done the hacking to begin with: a Romanian hacker. But they got the information almost by accident, or second hand, as a result of monitoring somebody else. Anything having to do with American politics is of interest to other nation-states that perhaps aren't big fans of the United States, and even potentially our allies.

Adam Laub: [00:04:06:08] I think that given the current events around the political campaigns being run here in the United States, and potentially the opportunity to affect the outcomes of those campaigns by, again, nation-states that aren't particularly enamored with the United States and our policies, would relish the opportunity to have information that would lead to an outcome of their desire.

Dave Bittner: [00:04:34:17] The story is still developing, but one thing that struck us was that the Russians seemed to not do a whole lot to try to cover their tracks. We asked Adam Laub about this, and he said he didn't find it particularly surprising, given the players.

Adam Laub: [00:04:47:18] Anything with the Putin administration, bravado is at the core of what goes on, from a news perspective. You look at the G8 summit last year in Australia, Putin pulled up a couple of warships off the coast of Australia just to flex his muscles a little bit. This is no different in terms of claiming responsibility for having this information, whether they did obtain it themselves through their own techniques or nation-sponsored hacking organizations, or whether they did get it through this other well-known Romanian hacker that they had been following and obtained information from.

Dave Bittner: [00:05:28:19] That's Adam Laub from STEALTHbits Technologies.

Dave Bittner: [00:05:33:05] The investigation into Saturday's massacre at Orlando's Pulse nightclub continues. A look at the shooter reveals retrospectively a history of online jihadist radicalization, giving some point to ISIS claims of responsibility for the murders. That responsibility, as is typically the case with ISIS operations outside the dwindling territory under the caliphate's control, is a matter of inspiration. The civilized world is yet to find the right information operations to deploy against ISIS, in part because ISIS messaging is so alien to the marketing understanding prevalent among its opponents.

Dave Bittner: [00:06:07:01] The self-declared caliphate doesn't promise jobs, healthcare, education, or ease. Instead, it promises righteous rule, justice, meaning, and transcendence. And it does so with a message of death.

Dave Bittner: [00:06:19:08] Omar Mateen, the shooter, was twice interviewed by the FBI, once in 2013 and again in 2014. He was also, problems and all, deemed employable by a physical security company. Thus, US investigators, especially the FBI, have come under considerable criticism for failing to stop the shooter. He's being called a "known wolf." But much of the criticism seems wayward. It's difficult to see how any of the warning signs, so clear in hindsight, might have given probable cause to watch or detain, still less prosecute, Mateen.

Dave Bittner: [00:06:51:07] It's also worth noting that, with respect to inspiration, intraislamic squabbling among competing jihadist groups seems not to matter much. There's evidence Mateen, while unable to distinguish ISIS from Al Qaeda from the Taliban, caught the common underlying call to jihad clearly enough.

Dave Bittner: [00:07:09:00] Outlines of the long-running North Korean cyber campaign against South Korean enterprises become clearer. The DPRK's hacking seems to have aimed principally at espionage. News reports highlight theft of some aviation design data from cooperative US/Republic of Korea combat aircraft programs. But also as data destruction. 42,000 documents are said to have been destroyed.

Dave Bittner: [00:07:31:17] South Korean authorities say that the stolen data wasn't especially sensitive, but there are widespread concerns that the long-running campaign was battle space preparation for some larger, more damaging operation. In fairness to the DPRK, we must note that Pyongyang denies the allegations, and denounces them as a provocation. In justice to common sense, however, we must also note that signs point to Pyongyang.

Dave Bittner: [00:07:57:16] A bit more has emerged on how the Molerats, Palestinian hacktivists operating from Gaza and elsewhere against Israeli targets, were uncovered. ClearSky reports that apparently one of their malware developers neglected to clear the properties of a Word document they were using as a vector.

Dave Bittner: [00:08:13:11] According to Sophos, Vawtrak, a banking Trojan that's been in circulation for some time, is picking up new capabilities: mostly improved evasion and obfuscation and new target sets. The Trojan is typically distributed by email in the bogus guise of a US Postal Service invoice. It uses corrupt macros to deliver pony malware.

Dave Bittner: [00:08:33:22] App security worries enterprises, especially since apps loosely construed are the biggest part of shadow IT. A study by CloudLock Cyber Lab reports that since 2014, shadow apps have increased by a factor of 30 on corporate networks. The study classifies 27% of third party apps as high risk, opening enterprises to exploitation by attackers able to impersonate legitimate users.

Dave Bittner: [00:08:58:03] McAfee Labs has been taking a look at mobile apps in particular, where they see an increase in the risk of collusion: a situation in which attackers use two or more apps against a target. The common outcomes of successful collusion are information theft, financial theft, and service misuse.

Dave Bittner: [00:09:14:24] There are other noteworthy developments in the black market. For some reason, the Angler exploit kit appears to have fallen completely out of favor. Its former business having moved, for the most part, to the Neutrino kit. Why this has happened remains something of a mystery, especially given Angler's recent upgrade to evade Microsoft's EMET security suite. But Malwarebytes reports that spammers have essentially abandoned it, and that ransomware purveyors are shifting to Neutrino.

Dave Bittner: [00:09:41:12] In the legitimate cyber sector, Symantec's announcement of its acquisition of Blue Coat prompts M&A speculation about CyberArk, a potential acquisition, Check Point, a potential buyer, FireEye, a potential acquisition and a potential buyer, Imperva, and Proofpoint, both potential acquisitions. ManTech is acquiring the computer network operations practice of Oceans Edge.

Dave Bittner: [00:10:05:11] Finally, that flashy, splashy Microsoft local privilege escalation zero-day that hit the black market on May 11th continues to drop in price. Initially offered at $95,000, the crooks have already knocked it down to $85,000. Still pricey - you can get a building lot in Laurel, Maryland, for $85,000. But the discounting suggests some marketing problems. Maybe they need a catchy name. May we suggest "Bounder," "Squatter," "Carpetbagger," or "Occupy Windows" as possibilities? Discuss among yourselves.

Dave Bittner: [00:10:41:12] I'd like to take a moment to give a quick thanks to our sponsors at ThreatConnect. ThreatConnect is an enterprise-level security platform that allows you to unite all your people, processes and technologies behind an intelligence-driven defense. They're teaming up with Forrester, the global research and advisory firm, for a look at fragmentation in the security industry, what it means, and what can be done about it. You can hear what they have to say and consider how to apply the lessons to your own organization by signing up for ThreatConnect's webinar. It's scheduled for Tuesday, June 28th.

Dave Bittner: [00:11:11:10] Catch Forrester's Jeff Pollard and ThreatConnect's Chief Intelligence Officer, Rich Barger, as they discuss the issues fragmentation poses for organizations of all sizes, and offer their thoughts on how to unify security operations in your enterprise. Visit, and tell them the CyberWire sent you. Best of all, the price is right: free. That's

Dave Bittner: [00:11:40:21] Joining me once again is Ben Yellin from the University of Maryland's Center for Health and Homeland Security. Ben, I saw an article in Motherboard recently about a decision a judge made that makes it a little harder for the FBI to use hacking. What can you tell us about this story?

Ben Yellin: [00:11:55:12] So, just a little bit of background: the FBI was investigating a person named Jay Michaud, who is a Vancouver public schools worker. And Michaud ended up being arrested in July of last year as part of the FBI's investigation into a website that does child pornography, it's called Playpen. And the investigative technique the FBI used to gain evidence, was that it hacked into Playpen and took control of it for a couple of weeks back in February if 2015. They actually ran the entire site from a government server, and employed what's called a network investigative technique, or NIT, which is just a piece of malware that reveals information on the site's users.

Ben Yellin: [00:12:46:04] The FBI used evidence gained from this hacking technique to doxx this person who was trafficking in child pornography. This was the evidence that they were going to use to present at trial, and a judge just ordered the FBI to reveal the full code used for this hacking. So, the FBI refused. The FBI didn't want to reveal its methods, and the judge held that if they didn't disclose their method of hacking, then the evidence would not be permitted, and this might allow a criminal, someone who traffics in child pornography, to go free. So, it's a very significant decision.

Ben Yellin: [00:13:25:05] The Justice Department is fighting this order, asking the judge to reconsider, but it could very wide-reaching implications. This is a very, very effective tool for law enforcement to catch some of our worst criminals, traffickers child pornographers. It could definitely be used in terrorism cases, and judges are recognizing that unless the FBI details its method of hacking, they can't be sure that the hacking has gone beyond the parameters of the original search warrant given the FBI to conduct the searches. So, I think this could have a very significant and potentially detrimental effect on law-enforcement going forward.

Dave Bittner: [00:14:07:22] All right, Ben Yellin, interesting story; we'll keep an eye on it. Thanks for joining us.

Dave Bittner: [00:14:14:13] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make TheCyberWire possible. If you'd like to place your product, service, or solution in front of people who will want it, you'll find few better places to do that than the CyberWire. Visit the and find out how to sponsor our podcast or daily news brief.

Dave Bittner: [00:14:37:16] The CyberWire podcast is produced by Pratt Street Media; the editor is John Petrik, I'm Dave Bittner. Thanks for listening.