The CyberWire Daily Podcast 10.26.20
Ep 1201 | 10.26.20

Russian research institute sanctioned for its role in Triton/Trisis. Coordinated inauthenticity in Myanmar. Clean Network program update. Major data breach in Finland.


Dave Bittner: The U.S. Treasury Department sanctions a Russian research institute for its role in the Triton-TRISIS ICS malware attacks - coordinated inauthenticity with a commercial as well as a political purpose. The Clean Network project gains ground in Central and Eastern Europe. Robert M. Lee from Dragos shares insights on the recent DOJ indictments of Russians allegedly responsible for the Sandworm campaign. Rick Howard explores SD-WANs. And data breaches afflict a large, Finnish psychiatric institute.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 26, 2020. On Friday, the U.S. Treasury Department's Office of Foreign Assets Control announced sanctions against the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics for, quote, "knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation," end quote. Specifically, this comes down to the institute's role in developing the TRISIS-Triton malware. TRISIS-Triton was designed to disable industrial safety systems - obviously, a dangerous and unusually aggressive design, one more suited to the production of hazardous kinetic effects than to the simple compromise of IT systems. It was used against a Saudi petrochemical plant in 2017 but misfired. Had it functioned as intended, its effects could have been potentially lethal.

Dave Bittner: As Treasury explained the incident, quote, "the Triton malware was designed to target a specific industrial control system controller used in some critical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency. The malware was initially deployed through phishing that targeted the petrochemical facility. Once the malware gained a foothold, its operators attempted to manipulate the facility's ICS controllers. During the attack, the facility automatically shut down after several of the ICS controllers entered into a failed safe state, preventing the malware's full functionality from being deployed and prompting an investigation that ultimately led to the discovery of the malware. Researchers who investigated the cyberattack and the malware reported that Triton was designed to give the attackers complete control of infected systems and had the capability to cause significant physical damage and loss of life. In 2019, the attackers behind the Triton malware were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities," end quote. 

Dave Bittner: The Treasury Department's sanctions are noteworthy in that they're being directed against a nominally disinterested scientific research organization. The authority for the sanctions is Section 224 of the Countering America's Adversaries Through Sanctions Act - known as CAATSA. The specific measures resemble those taken against other organizations the Office of Foreign Assets Control has placed on the Specially Designated Nationals List. Quote, "all property and interests in property of the institute that are in or come within the possession of U.S. persons are blocked. And U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with the institute may themselves be exposed to sanctions" end quote.

Dave Bittner: Not all coordinated inauthenticity is state-sponsored or even directed toward primarily political ends. Late Friday, Graphika described inauthentic networks based in Myanmar that Facebook took down on October 21. Graphika says they contain a mix of clickbait, much of it involving celebrity news and gossip, and political content, much of it pro-army and anti-Muslim. The clickbait apparently predominated - the motivation for the operation, Graphika concluded, was more commercial than political. 

Dave Bittner: ZDNet reports that four more European governments have signed on to the U.S. led Clean Networks program - Slovakia, Bulgaria, North Macedonia and Kosovo. They join the U.S., Canada, the U.K., Denmark, Norway, Sweden, Finland, Latvia, Lithuania, Estonia, Serbia, Slovenia, Albania, Greece, Poland, Ukraine, Romania and the Czech Republic in agreeing in principle on the threat Chinese companies like Huawei, but not only Huawei, potentially pose to 5G security. Much of Europe and North America, whether they've signed on to Clean Networks or not, now have expressed official skepticism about the wisdom of allowing Chinese hardware into their 5G infrastructure. The U.S. is currently in talks with both Brazil and India about 5G security. 

Dave Bittner: Finnish psychotherapy center Vastaamo has sustained a data breach, with loss of patient information. And individual patients have begun receiving extortion demands asking for three to 500 euros to keep their clinical details quiet. The story first began to appear in tabloids last Wednesday as victims complained of the extortion notes they'd begun receiving. Details remain sparse. And Vastaamo seems to have been slow to recognize that it had been breached. A press release from the company yesterday said that it believes it sustained two separate attacks, one in November of 2018 and another between December 2018 and March of 2019. Information belonging to some 300 patients is believed to have been published online. Computing reports that, overall, some 40,000 patients' data were compromised. Thousands of victims have already filed criminal reports. The incident has received attention at the highest levels of Finland's government. President Sauli Niinisto called the attacks especially cruel insofar as they constituted an assault on the victims' inner selves. National authorities are investigating and have said they're determined to bring the criminals responsible to justice. 

Dave Bittner: And it is my pleasure to welcome back to the show the CyberWire's chief analyst and chief security officer, Rick Howard. Rick, great to talk to you again. 

Rick Howard: Thank you, sir. 

Dave Bittner: On this week's "CSO Perspectives," you are talking about SD-WAN. And I have an admission to make that before we... 


Dave Bittner: ...We're going to meet here today, I am not really up to speed on exactly what an SD-WAN is and how it could be important for security. So before we dig in here, why don't you just take a minute and bring me up to speed? 

Rick Howard: Well, let me tell you, you're not alone, my friend. 

Dave Bittner: (Laughter). 

Rick Howard: There's a lot of people in the same boat, and so was I - OK - when I started working on this episode and, by the way, as many of our Hash Table experts were, too. So don't feel bad (laughter). 

Dave Bittner: OK. 

Rick Howard: All right, so here's what I learned. The first thing you have to know is that the way we are building our internal enterprise networks is going through a revolution. You may not even known that. The old way, starting, say, in the early 2000s, was that we needed to connect our data center that we managed and our other remote sites together. And we did that by installing expensive but fast and reliable MPLS circuits between the sites that we leased from the telecommunications companies. 

Dave Bittner: OK. 

Rick Howard: And, you know, by the way, I know you're reaching for the Google machine to look up what MPLS stands for. Let me just stop you there. It is multiprotocol label switching, all right? So put that in your nerd basket (laughter). 

Dave Bittner: Aw, I was just going - I was going to guess that, actually. Yeah. 


Dave Bittner: So it's just a dedicated - for the time - high-speed connection between the mother ship and all the remote offices, is that a fair way to describe it? 

Rick Howard: Yeah... 

Dave Bittner: Yep. 

Rick Howard: ...Dedicated hardware, dedicated software to establish those connections. 

Dave Bittner: OK. 

Rick Howard: And for security, we would backhaul the traffic destined for the internet to a data center that housed the security stack. So internet inbound and outbound traffic had to go through the security stack. And that's how we protected our environments. So fast-forward to today, enterprises of all sizes, as you know, are moving their workloads out of their data centers and into the cloud somewhere, either through SaaS services or IAS and PAS services from big providers like Microsoft, Google or Amazon. Because of that, it is making less and less sense to maintain these expensive, internal MPLS circuits when, mostly, what each site needs is an internet connection to the local cloud provider. Now, you do that through cheap and less reliable broadband connections. And in the very near future - I mean, you know, a couple years, probably - you might be doing this through 5G connections. But remember when I said these connections were unreliable? 

Dave Bittner: Yeah. 

Rick Howard: Well, the way we compensate for that is to install not one broadband connection, but many at each site, depending on how big your organization is. So remember that... 

Dave Bittner: Ah, belt and suspenders. 

Rick Howard: Say that again? 

Dave Bittner: Belt and suspenders. 

Rick Howard: Belt and suspenders, that's right. 


Dave Bittner: OK. 

Rick Howard: And so you got to remember that broadband connections are way cheaper compared to MPLS circuits, so it kind of makes sense. 

Dave Bittner: Yeah. 

Rick Howard: All that is great. But now the complexity for managing all those internet connections, in terms of data flow priority and choosing the fastest internet connection - not to mention ensuring that all that traffic goes through a security stack somewhere - has exponentially grown. This is where SD-WAN comes in. It is a software networking abstraction layer that manages all those connections. So to help me explain this, I was talking to Paul Calatayud. He came to the Hash Table this week to talk about it. He is the Palo Alto Networks' chief security officer for the Americas. And he came up with a fantastic analogy to describe what is going on here. 

Paul Calatayud: Resilience - it essentially makes up for the lack of dedication and lack of reliability, because now I have many, many unreliable options to get back home. And eventually, some of those paths - it's like Waze - right? - like the maps because, you know, like, all of a sudden, it's telling you to go a different path. But ultimately, it's looking and going, yeah, we'll get you there eventually - right? - like, on time. And you're going in back neighborhoods and going through dirt trails. And you're like, well, this is efficient. But that's kind of the way I see WAN works. Like, the big visualization here is SD-WAN is the Waze for networking (laughter). 

Dave Bittner: All right. Well, so I get it now. I mean, it's - we're talking - is this basically as if we had - for our WAN, we had a version of Waze to just make it all - right? - to make it easy, just in one place, right? It's guiding us from Point A to Point B, a way we didn't even know that existed. 

Rick Howard: That's exactly the way it is. And I took this quote from the Google website because it will help, all right? It says - here it is - quote, "knowing what's happening on the road with Waze. Even if you know the way, Waze tells you about traffic, construction, crashes and more in real-time. If traffic is bad on your route, Waze will change it to save you time," end quote. That is exactly what SD-WAN does for you on your network. 

Dave Bittner: You know, it's funny, I've come to believe that you don't believe Waze at your own peril, right... 

Rick Howard: (Laughter). 

Dave Bittner: ...Because, time and time again, I've been - Waze has been telling me to go somewhere, or any of these GPS, you know, smart GPS apps. And they're - and I'm going, this isn't right. This isn't right. This can't be right. I've never gone this way before. This is a completely - and then, all of a sudden, bam. I'm there. I'm at my destination. I'm like, (laughter) wait a minute. How did that happen? 

Rick Howard: Yeah. 

Dave Bittner: I didn't even know that that connection was possible. And so... 

Rick Howard: Well, you look at what those guys do - they're not going to get you there the best way, but they're going to get you there a way, all right? So... 

Dave Bittner: Yeah. 

Rick Howard: ...And that's kind of what SD-WAN is because you're going to have this myriad of connections, of ways to get to the internet and back and forth through your own enterprise. It's going to find a way to get your packets to where they need to go. 

Dave Bittner: Yeah. All right. Well, there's a lot more to learn about this. And I know you all will dig deep into it. It's "CSO Perspectives." It's over on CyberWire Pro. Do check it out. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. We just had, you know, the recent news that half a dozen Russian military officers were charged in a hacking campaign. This is the Sandworm campaign - the Justice Department going after them. I wanted to check in with you. What is your take on this? 

Robert M Lee: I mean, overall, I thought this was a really good and strong move, especially ahead of the election. I think the Department of Justice and the FBI as a whole have a bit of a credibility problem walking into election cybersecurity discussions, right or wrong. And coming out ahead of the election with a really detailed indictment, with some really significant access - I mean, this was - there's components of this that definitely came from either allied intelligence or NSA and CIA supporting these when you're actually getting into individual operator names and, really, you know, core details of what they were doing on the adversary side, not just from the victim's side. So by and large, real strong messaging. I think the message is pretty clear on, you know, we're willing to burn our resources to burn your resources. And that's a really significant thing for any government to say to an adversary state. The two kind of critiques that I had - and so I don't want this to get taken out of context, that I'm critiquing the report as a whole. Again, overall, well done to the folks that put this together. 

Robert M Lee: The two critiques - and I'd say one maybe a hilarious thing - No. 1 on the critique, I do think the 2015-2016 Ukraine attacks deserved a stand-alone sort of admonishment. I've been pretty critical of that when they happened as well, that we did not have any Western leaders come out and even condemn the attacks. Forget the attribution, forget any aspect of that. But even coming out and saying, look; a cyberattack that caused electric power outages on civilian infrastructure is exactly what we said for years we don't want to see. Let's set the precedent that we're going to come out and condemn this. And I've been fairly critical over the years that we never saw that. And I think that was a mistake. And so it's good to see it in the report as part of the, you know, history of this threat, if you will. But seeing it called out by the DOJ and see it called out, you know, five years later, I would have liked to seen a larger-state-sooner kind of effort. 

Robert M Lee: The other critique I have - and I'll have this critique forever, which - I fully understand its place in the strategy. I fully understand the opposing viewpoints here. I'm not saying they're not without value. But I just generally do not like the name-and-shame strategy of individuals, especially when they're in the military. I mean, two of those individuals and the one in "Wild Wild West" poster styled, you know, appendix they had were in military uniform, even, in the pictures. And I just think it sets an extraordinarily bad precedent that we are going to not only name and shame but do indictments and hold accountable the individuals more than the state themselves. Those individuals now have restrictions on them and have been publicly called out in ways that will never be able to go back to normal life. And yet we don't see a lot of sanctions or actions against the GRU or the Russian state themselves. And I think as the United States, where we have a really active Cyber Command, a really active National Security Agency, it is a mistake to put the focus on military and individuals. And I really, really abhor the day that we're going to see U.S.-enlisted members or similar on "Wild Wild West" posters in Russia or China or Iran. 

Dave Bittner: Why do you suppose they're coming at it this way? What do you suppose the intelligence community sees as the advantage of naming and shaming that way? 

Robert M Lee: Yeah, I think - yeah. So the opposing views I've heard before - one, which isn't opposing view - it's just the reality - is in the, you know - the DOJ's lane specifically is criminal indictments. And to do that, you've got to name people. So if you're going to invoke the strategy of using the Department of Justice against these cyberthreats, the naming of individual victims and the naming of individual adversaries makes a lot of sense in an indictment. So I don't think this is a critique on the DOJ. I think from a U.S. government strategy, they have used the DOJ multiple times now in this way. And I would advise elevating the discussion beyond the DOJ to be more about the states themselves and not the actor. 

Robert M Lee: As it relates to the counterpoints I've heard, you know, one of them very clearly - yeah, I think a number of people think, oh, well, they're not going to get arrested. This doesn't matter. Well, it is actually really impactful. Those indictments also carry over to allied states and states that honor sort of the indictments themselves. And making it difficult for those individuals to travel makes it difficult for them to go on holiday. Could be implications for their financials and bank accounts and similar. So the naming and shaming aspect does have impacts to those individuals. And again, the counterpoints I've heard before are it does actually deter, potentially, the individuals from ever taking those actions in the first place. I don't really buy that, having - and, obviously, I'm very biased here. But having been in the U.S. military and served in the National Security Agency, if my commander were to tell me to go do a mission, you know, supported by the president or whoever else and there was a fear of retribution or being named and shamed by a foreign state, that probably would've emboldened me, not deterred me. It's this aspect of, ah, well, I'm here to serve the cause. You know, if something goes wrong, you know, consequences be damned. You know, support the Constitution of the United States. 

Robert M Lee: And so I don't want to mirror image the adversary too much here, but I do question that the deterrence on individuals is real or impactful. And moreover, I do think the broader United States strategy against cyberthreats has to take into consideration stronger positions of condemnation, norm-setting, sanctions, economic sort of tools that we have, diplomatic tools that we have. And it seems that the DOJ is doing a really good job, but it's kind of, you know, one stool of the - or one leg of the strategy. And I think there's a couple other pieces missing right now. 

Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's good to the last drop. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha!. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.