The CyberWire Daily Podcast 10.23.20
Ep 1200 | 10.23.20

Energetic Bear’s battlespace preparation. Selling voter and consumer personal data. GRU, Qods Force sanctioned. How they knew that Iran dunnit.


Dave Bittner: Energetic Bear is back and maybe getting ready to go berserk in a network near you. Someone's selling publicly available voter and consumer information on the dark web. Sanctions against the GRU for the Bundestag hack. The U.S. sanctions Quds Force and associated organizations for disinformation efforts. Johannes Ullrich has tips for preventing burnout. Our Rick Howard speaks with author David Sanger about his new HBO documentary, "The Perfect Weapon," and how Iran was caught in the emailed voter threat campaign.

Dave Bittner: I'm Dave Bittner with your CyberWire summary for Friday, October 23, 2020. 

Dave Bittner: We have several updates today on what TASS would be authorized to call blatant Russophobia. Yesterday, the FBI and CISA issued an alert that pointed out Energetic Bear for intrusions into U.S. state, local, territorial and tribal government networks. Energetic Bear - also doing business as Berserk Bear and unambiguously described as a Russian state-sponsored APT - displayed some interest in aviation networks as well. The Bear, say the bureau and the agency, is, quote, "obtaining user and administrator credentials to establish initial access and able lateral movement once inside the network and locate high-value assets in order to exfiltrate data," end quote. 

Dave Bittner: One representative attack saw Energetic Bear move across a victim network to access files related to sensitive network configurations and passwords; standard operating procedures, such as enrolling in multifactor authentication; IT instructions, such as requesting password resets; vendors and purchasing information, and printing access badges. Nothing has actually been done with this stuff so far, apparently, at least as far as the FBI and CISA can tell. But it's not the sort of information one would like people who don't have your best interests at heart to get their hands on. The attacks have often been staged through Turkish IP addresses. They've involved brute-forcing of credentials, SQL injection and scanning for vulnerable Microsoft Exchange and Citrix Services. As is now so often the case, the attacks seem to exploit known vulnerabilities and therefore offer another good reason - as if any more were required - to pay close and conscientious attention to patching. 

Dave Bittner: This appears to be reconnaissance and battle space preparation. No disruption so far, but the actor may be seeking access to obtain future disruption options to influence U.S. policies and actions or to delegitimize SLTT government entities. Why would the bears be interested in SLTTs? Well, here's one reason. The SLTTs run elections, not the feds. And who cares who wins the election anyway if you can retrospectively cause people to mistrust the way the votes were counted? Why are they interested in aviation targets? That's less clear. But some malicious aviation-themed sites have been established for drive-by and water-holding attacks. The alert recommends a number of defense-in-depth measures to monitor network health, mitigate known vulnerabilities and reduce the organization's attack surface by closing down unneeded services. 

Dave Bittner: Much attention is being paid to security firm Trustwave's report of finding large databases of voters and consumers for sale in the RaidForums dark web market. It's worth noting that this activity is distinct from Energetic Bear's snuffling around in state, local, tribal and territorial networks. Most of the records pertain to Americans, but citizens of Canada, the United Kingdom, Ireland and South Africa are also heavily represented. The offerings look like direct marketing databases, and the hoods selling them cheerfully acknowledge that much of the information on the block is freely obtainable from legitimate open sources. 

Dave Bittner: Much of the trade is conducted in Russian. "In the right hands," Trustwave says, "this voter and consumer information can easily be used for geotargeting, disinformation campaigns over social media, email phishing and text and phone scams," end quote. Criminal, political or hacktivist - the tools remain the same. Some of the hoods posting to the forum are a little skittish, suggesting that maybe people should hold off on using this sort of stuff until after the first week in November, when the U.S. elections will be over. And, presumably, the heat will be off a little bit, anyway. Other participants remain indifferent, with one asking if, since he's got U.S. voter databases, you can get a cartoon of a red bear drinking vodka and use it as his avatar. It's always funny until someone gets arrested. 

Dave Bittner: Or if not arrested, at least sanctioned. The EU and the U.K. have both levied sanctions against the GRU and two of its officers who are particularly mentioned in dispatches for having hacked Germany's Bundestag in 2015. This is regarded as a win, ZDNet reports, for the German government, which has been pushing its sisters in the EU to take an official position on the Russian hacking. Dmitry Badin and Igor Kostyukov are the two GRU officers singled out for travel bans and asset freezes, Politico says. Mr. Badin is an operator who's been indicted by both Germany and the United States for other capers. Mr. Kostyukov is a bigger fish. He's the first deputy head of the GRU, and he also commands the 85th Main Centre for Special Services, also known as Military Unit 26165 and doing business as, of course, Fancy Bear. 

Dave Bittner: Other people have also been sanctioned perhaps in what might be called - but hasn't been - blatant Persophobia. The U.S Treasury Department yesterday announced sanctions against five Iranian organizations for their role in conducting disinformation operations aimed at the credibility of U.S. elections. The five were the Islamic Revolutionary Guard Corps, IRGC, the IRGC-Quds Force, the Bayan Rasaneh Gostar Institute - regarded as an IRGC front - and two media organizations, the Iranian Islamic Radio and Television Union and the International Union of Virtual Media, both, the Treasury says, owned or controlled by the Quds Force. 

Dave Bittner: It's being said dumb mistakes facilitated attribution of the spoofed Proud Boys email threats to Iran - carelessness in a video attached to many of the emails left traceable spoor, Reuters reports. Here's how they know. It was possible from the way the video was shot to do some virtual-shoulder surfing. Quote, "the video showed the hackers' computer screens as they typed in commands and pretended to hack a voter registration system. Investigators noticed snippets of revealing computer code, including file paths, file names and an IP address," end quote. The IP address, hosted by Netherlands-based Worldstream, was traced to earlier Iranian attacks. Cross-referencing this and other clues in the video with other sources of intelligence, a U.S. official told Reuters on condition of anonymity, clearly indicated Iran. So straight up, the U.S. says it was Iran. A spokesman for Iran's delegation to the U.N. dismissed the U.S. accusations as malarky. Quote, "these accusations are nothing more than another scenario to undermine voter confidence in the security of the U.S. election and are absurd," end quote. 

Dave Bittner: But the whole thing could have been avoided had the Iranian operators making the scare video not striven for so much verisimilitude. I mean, we've all seen TV. The way you depict hacking is to have someone sitting at a keyboard - hoodie optional, geeky affect required - staring, typing vigorously for three seconds or so and then announcing, I'm in. You focus on the operator's face, and you don't show the screen. And yet somehow the screen is being projected onto the operator's face. If it works for Hollywood, it should work for Tehran, too. There's a reason genres have rules, you know? As it stands, Quds Force is probably saying right about now, quote, "get me rewrite and hire that Alan Smithee. We've long admired his work." And with that, cut. 

Rick Howard: Hey, everybody. Rick Howard here, the CyberWire's chief security officer and chief analyst. I got the opportunity last week to interview David Sanger, the noted New York Times journalist, three-peat Pulitzer Prize-winner, author and now producer for an HBO documentary about his most excellent book, "The Perfect Weapon: How The Cyber Arms Race Set The World Afire." The documentary is currently streaming on HBO and HBO Max. Here's a piece of that interview. 

David Sanger: There's a scene in the documentary in which Sheldon Adelson, who's a big Republican contributor, goes to Yeshiva University and is giving a talk one day about the Iranian nuclear program. And he says, you know what we ought to do? We ought to take a nuclear bomb and explode it in the Iranian desert and sort of glassify it and then send the Iranians a note and say to them, this is what's going to happen to Tehran if you don't turn over your nuclear program. Now, I teach national security stuff in a graduate course at the Kennedy School at Harvard. And I would not call this the most subtle strategy that I've ever heard. 

Rick Howard: (Laughter). 

David Sanger: But, you know, it's a strategy. 

Rick Howard: When I heard him say that on the documentary, I said, oh, yeah, that's going to turn out well (laughter). 

David Sanger: Yeah. So it turns out that not only you were listening him say it but it - who knew the Iranians get YouTube? 

Rick Howard: (Laughter). 

David Sanger: And they watched him say it. Sheldon Adelson, desert sands. Wait a minute. This guy owns a casino, doesn't he? He does. He owns the Sands Casino. And what do you know? About three months later, his employees walked in and discovered their hard drives had been wiped clean. 

David Sanger: Now, the immediate response of Sands Casino was to get everybody to sign nondisclosure agreements and just keep this whole embarrassing incident a secret. Fortunately, that failed. And on the documentary, you will see, hidden behind changed voices and darkened shadows so you can't see their faces, some of the employees at the Sands describing what it was like to be on the receiving end of the Iranian hack. 

Rick Howard: So we have Stuxnet. That's U.S. and Israel. We have the Sony attack. So this is North Korea. And we have Sands Casino, which is the Iranians. We can't get you out of here without talking about the Russians... 

David Sanger: The Russians, yeah. 

Rick Howard: ...And not touch it. 

David Sanger: They're busy. 

Rick Howard: Yeah. Talk to us about NotPetya. 

David Sanger: So NotPetya was probably the most damaging hack ever done in terms of monetary damage. It was designed to attack Ukraine and bring it to a halt by going after an accounting system that all Ukrainian businesses are required to use by the tax authorities. But I think it ran on, like, Windows XP. And, you know, that's mostly what people in Ukraine were using. And not all of those - again, I know you'll be shocked. Not all of those were legal copies. 

Rick Howard: Devastating attack. And the Russians have been using Ukraine as a testing ground. I think you called it in the documentary their petri dish... 

David Sanger: That's right. 

Rick Howard: ...To test how to do stuff. And as they roll over to disrupting America, what are they doing against us? 

David Sanger: Well, against us, we saw it in the early attacks on the Pentagon, which really is what resulted in the creation of Cyber Command. And we take you through that a little bit in the documentary. 

David Sanger: But they also went after the email systems at the White House, the Joint Chiefs of Staff, the State Department. They got into the State Department systems, in fact, to the point the State Department had to close down their systems at various points. 

David Sanger: And all of these led the United States to do absolutely nothing in return. And so if you're Vladimir Putin and you're thinking, OK, these guys aren't going to defend the White House system, why would we possibly think that they would care about the Democratic National Committee? And the answer is that Putin concluded they probably won't. 

David Sanger: And, you know, what's really remarkable is Cyber Command came up into being. They were focused on things like taking out ISIS, which was definitely a big issue in 2016. And they really weren't looking internally at our election system. And so this combination of actively break into the DNC, of make this stuff public, of the Facebook ads, of the influence campaign - it's not like they had their radar off the way the U.S. military did in Pearl Harbor. Rick, they hadn't even built the radar. 

David Sanger: Now, we're doing better this year because they have built the radar. But, of course, the Russians are trying some new and different techniques. 

Rick Howard: So you published the book in 2018. The documentary is coming out just over two years after. Is there anything between the two that's kind of crystallized in your mind or fundamentally changed? 

David Sanger: Well, we have updated this to reflect - actually, there's a big section on perception hacks, which is what you do when you do ransomware in one or two places to make it look like much more. So we brought it to the - up to date. 

David Sanger: You'll see people like Eric Rosenbach, co-director of Harvard's Belfer Center but was the chief of staff to Ash Carter at the Pentagon when he was secretary of defense, talking about the calculus that you make as you're under cyberattack or as you're trying to think about what the U.S. can go do. 

David Sanger: So the idea is to bring you in at a very human level to the kind of decisions that have to be made when you're on the receiving end and when you're on the offensive end. 

Rick Howard: The full version of this interview will be available very soon right here in this same feed. The documentary is currently streaming on HBO and HBO Max, and I highly recommend it. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He's the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, it's always great to have you back. I want to touch today on - well, I guess we're talking a little bit about alert fatigue, some of the things that you and your team have been tracking here. What do you have to share with us today? 

Johannes Ullrich: Yeah, this is really partly based on personal experience, but also a lot of the reports we're getting in from readers at Internet Storm Center that send us logs and such. A common theme here is that, hey, I'm being attacked all the time. Here are my firewall logs. What am I supposed to do about that? And honestly, my answer is often nothing. Don't worry. First of all, if you're looking at your firewall logs, those are actually alerts that you usually don't have to worry about because these are attacks that got blocked by your firewall. That's why they ended up in the firewall logs. So that's one part of it. Another part - what you're really looking for is sort of what's not showing up in your logs. That's sort of the hard part. And often logs and systems that are presenting these logs - it's a little bit also a problem with security tools - are really more distracting you from what's actually happening on your network. 

Dave Bittner: So it's this flood of information that's always coming in. It's that noise where you try to - you have to try to find the signal within it. 

Johannes Ullrich: You have to find the signal within it, and you really have to get a little bit more casual attitude to it. It sounds a bit scary, but the title of the post that I had was Today, Nobody's Going to Attack You. And that's probably right. For most organizations today, nobody's going to attack you. All you're going to see is these attacks. You're going to see they're not targeting you. They're looking for systems that you are not running. If you're running a web server, probably 90% of the attacks that you'll be seeing will be targeting software that you're not using, like some kind of a home firewall admin interface, something like WordPress and such. So really, it's nothing for you to worry about. The real skill here, I think, is to know what to ignore and in some ways also to have a little bit of thick skin here and not really, you know, get excited about every single attack that you're seeing. 

Dave Bittner: Well, how do you find balance here? I mean, how do you end up not having a false sense of security? 

Johannes Ullrich: That's really, I think, where experience comes in. And also it matters that you tune your tools. Ideally, if you have a security dashboard - and I'm very much idealizing it here - it should be blank. You shouldn't really see anything. And whenever something pops up, that should be something new. That should be something special. And what you really want to do is more sort of approach it from that hunting that's sometimes proposed these days where instead of waiting for the log to come to you, you're actually going out and looking for the attacker in your network. So basically take that other approach. That, I think, usually works better. You get more meaningful results that way. And I think it's also for the overall, sort of, mental health of the analyst a little bit better to approach it that way. 

Dave Bittner: Yeah. Maybe not have so much anxiety, right? 

Johannes Ullrich: Correct, not have so much anxiety. And, you know, at the end of the day, you're just done. You're going home, and the next day you'll try again to find them. 

Dave Bittner: (Laughter) All right, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed, like a rock. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.