The CyberWire Daily Podcast 10.28.20
Ep 1203 | 10.28.20

Warnings about the DPRK’s Kimsuky Group. Election security in the US during the endgame. Section 220 and Big Tech. Another guilty plea in the eBay-related cyberstalking case.


Dave Bittner: U.S. authorities warn that North Korea's Kimsuky APT is out and about and bent on espionage with a little cryptojacking on the side. As the U.S. elections enter their endgame, observers point out that the appearance of hacking can be just as effective for foreign influence operations as the reality. CISA continues to tweet rumor control and election reassurance. Joe Carrigan shares developments in end-to-end encryption. Our guest is Bilyana Lilly from RAND on Russia's strategic messaging on social media and the disinformation that may be part of it. Big Tech returns to Capitol Hill. And another guilty plea in the strange case of eBay-related cyberstalking.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 28, 2020. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency, the FBI and U.S. Cyber Command yesterday issued an alert detailing the tactics, techniques and procedures being used by North Korea's Kimsuky Group, a cyber-espionage operation of that country's Hidden Cobra outfit. 

Dave Bittner: The Kimsuky APT has been around, the agencies think, since 2012. And they think spear-phishing is the way it typically gains its initial access to its victims. It also uses waterholing and other social engineering techniques to establish itself. 

Dave Bittner: Kimsuky's collection focuses on individuals and organizations in South Korea, Japan and the United States, and the intelligence requirements it seeks to meet involve foreign and national security policy that affect the Korean Peninsula, especially with respect to nuclear policy and sanctions against the DPRK. The targets are either individual subject matter experts, think tanks or South Korean government agencies. 

Dave Bittner: Should you be one of those targets, CISA, the FBI and Cyber Command's Cyber National Mission Force recommend that you sharpen your defenses, move to a higher state of awareness and up your game with respect to security awareness training and multifactor authentication. That's actually good advice to anyone at any time, but it has particular salience if you're in the crosshairs of the Kimsuky Group. 

Dave Bittner: The operators have in the past posed as South Korean journalists and initiated contact with their targets under the guise of interview requests. Most of the initial preparation has been benign and designed to chum the waters for the eventual phishing email. The hook has often been BabyShark malware. 

Dave Bittner: In addition to its interests in policy, Kimsuky has also shown a characteristically North Korean interest in theft, as Pyongyang doesn't pass up an opportunity to pull in revenue to redress its chronic financial woes that international sanctions have induced in the pariah state. It's not only think tanks and government agencies that get attention, but cryptocurrency firms and exchanges as well. And the APT is also known to engage in cryptojacking, installing coin miners on its victims' systems. 

Dave Bittner: So Kimsuky's remit extends to both traditional espionage and apparently to revenue-generating cybercrime. Forewarned is forearmed. 

Dave Bittner: The Wall Street Journal, citing Facebook, says that with respect to election interference, appearance is more important than reality. You don't have to actually have hacked anything to have an effect, as long as people think you did. 

Dave Bittner: The consensus now, for example, is that the Iranian actors who impersonated the Proud Boys to send out threatening emails earlier this month had no special access to voter databases, although they said they did. It was enough that they could make people think they did and that they could associate the Trump campaign with some discreditable and not particularly plausible threats of violence. 

Dave Bittner: If your goal is just disruption and the creation of doubt or suspicion - and Tehran seems to have adopted a kind of junior achievement version of Moscow's playbook with respect to the current U.S. elections - then you need not have actually done anything at all. It's disinformation as scareware. 

Dave Bittner: CISA Director Krebs has been tweeting advice and reassurance about election security in the few remaining days before voting concludes on Tuesday. Among the points he makes is that website defacements like the one the Trump campaign briefly sustained are just petty larceny noise of very little consequence. Those defacements, according to TechCrunch, were at the hands of altcoin scammers. 

Dave Bittner: Big Tech begins its latest round of appearances before the U.S. Senate today. Forbes predicts a lousy day for Facebook's Zuckerberg and Twitter's Dorsey. At issue in this round is the future of Section 230 of the Communications Decency Act, a law that gives online platforms the normally inconsistent protections of both a publisher, who can pick, choose and moderate content, and a neutral public square, which doesn't. We're simplifying, but in broad outline, that's what Section 230 does. 

Dave Bittner: Senators are believed likely to express skepticism over online platforms' commitment to operating in a viewpoint-neutral way, or at least within as viewpoint-neutral a way as consensus deems possible. 

Dave Bittner: From such preliminary versions of their prepared remarks as has become available, here's roughly how the two high-profile social media companies are expected to come out of the gate. Mr. Dorsey is expected to take a hard line against any changes to Section 230, citing it as an essential protection for internet speech. Mr. Zuckerberg is believed to be more flexible, talking about the value of Section 230 but acknowledging that maybe it could do with some modifications to bring it up to date. His moderation has already led TechDirt, at least, to sneer at him as a sellout. 

Dave Bittner: There's been another guilty plea in the very strange cyberstalking case involving people who formerly worked for eBay. Reuters reports that Philip Cooke, who'd been a supervisor of security operations at eBay's European and Asian offices, entered a guilty plea to conspiracy charges of cyberstalking and witness tampering. 

Dave Bittner: Mr. Cooke is among seven defendants charged in the case involving harassment of a Massachusetts couple whose mom and pop online auction newsletter displeased the eBay brass. They're alleged to have harassed the couple on Twitter, had raunchy adult material delivered to their home in discreditable ways and to have sent them disturbing packages like a bloody Halloween pig mask. 

Dave Bittner: Why the couple aroused so much ire among eBay's leadership is part of the mystery. Their newsletter seemed only occasionally and then mildly critical of the online auction giant. Skins must have been pretty thin around San Jose. Two more guilty pleas in the case are expected this week. 

Dave Bittner: Bilyana Lilly is a Pardee fellow at the RAND Corporation, where she's a policy analyst on cybersecurity, disinformation, information warfare, Russian foreign policy and NATO. She's the co-author of the recently published research titled "Defending the 2020 U.S. Elections and Beyond: Hunting Russian Trolls on Twitter and Reddit with AI." 

Bilyana Lilly: For the Russian government, this is a part of Russia's strategy of warfare. And various experts and governments have described the strategy with different terms. Some have called it political warfare. Others have called it hybrid warfare, hostile measures, the Gerasimov Doctrine - you name it. But the Russians use a specific term in their doctrine, which is, in Russian, (speaking Russian). And we don't really have a direct translation in English. But usually, we will translate it as information confrontation or information warfare. 

Bilyana Lilly: And disinformation in this particular strategy is a tool of warfare, and it aims to create chaos among us and divide us. And in the Russian mindset, this is a way to coerce state and achieve information superiority over the adversary. And that is why my awesome co-author, Florentine Eloundou, in this research, and I decided to tackle the topic. We thought it was important enough to do that. 

Dave Bittner: Now, you're using the term Russian troll here, which, of course, you know, has some baggage. Does the model specifically - is it able to differentiate just a Russian native attempting to speak in English, or can it actually dig deeper into the content for the specific type of content we would describe as being trolling? 

Bilyana Lilly: Yes, it differentiates between trolls and non-native English speakers, specifically Russian - yes. We did our model in several steps and made sure that the model differentiates between actual Russian trolls and actual Russian speakers who still decide to generate content in English. 

Bilyana Lilly: And we used - for that, we used several different datasets between our model, and one of them specifically to make this distinction between them, the Russian writing in English and the troll writing in English - is that we used a model of Russians who have written essays in English, and those Russians are native Russian speakers and they write in English as a second language. So the model was trained on exactly identifying the linguistic features that a Russian will likely not get entirely right when writing in English based on that dataset. 

Dave Bittner: And so where do you hope this goes next? Is this something you're all going to put out in the world? Are you going to share this? 

Bilyana Lilly: Oh, absolutely, yes. We are planning - so what we published right now was a short blog, and we are writing a more detailed analysis, a detailed paper that also describes every step of the process. And we also plan on making our dataset and all the analysis that we run public as well. 

Bilyana Lilly: And we hope that social media companies could benefit from this. Maybe they're already using some analysis like this or some algorithm and model like this. But we - as you know, Facebook and Twitter and other social platforms, when they release information about accounts, they just take them down. They don't really usually tell us exactly how they have identified those accounts. They say that they use technical indicators, but this is - we don't really know whether maybe they're already applying a model like this. 

Bilyana Lilly: And maybe that's why when we trained our model on data already released by Twitter, maybe our model had such high accuracy and precision because, exactly, Twitter use a very similar model to identify those profiles. We don't really know for sure. 

Dave Bittner: Yeah, and that's fascinating. I guess I'm looking forward to having a browser plug-in or something like that that can, you know, tell me instantly who I'm dealing with and whether or not they're a troll or not. 

Bilyana Lilly: That'd be fantastic. I think that would be a step in the right direction. If we could get to that level, that'll make me so happy. 

Dave Bittner: That's Bilyana Lilly from the RAND Corporation. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article you brought to my attention. This was over on the ZDNet website, and it's titled "The Encryption War is on Again, and This Time Government Has a New Strategy," written by Steve Ranger. 

Joe Carrigan: Right. 

Dave Bittner: Joe, another round in the crypto wars? What's the latest here? 

Joe Carrigan: So this is talking about end-to-end encryption, which is an application that allows me to send information to you with nobody in the middle being able to read it. So we share our keys, and then we - our public keys, and then we can send each other messages. And there's no hope of decrypting it, at least not without finding some vulnerability or knowing the keys, right? So it's reasonably... 

Dave Bittner: Right. 

Joe Carrigan: ...Secure. Well, these seven governments - this is the U.S., U.K., Canada, Australia, New Zealand and now India and Japan - are worried about the use of end-to-end encryption. And they are trying to persuade Big Tech companies to reduce the level of security that they offer to their customers, according to the article. 

Joe Carrigan: And they start off the opening statement, we, the undersigned, support strong encryption. And they agree that it is important to protecting privacy, data, intellectual property, trade secrets, cybersecurity, and in repressive states, it protects journalism, human rights and defenders of other vulnerable people. 

Dave Bittner: Yeah. 

Joe Carrigan: Then it goes into the caveat that we - quote, "we urge the industry to address serious concerns where encryption is applied in a way that wholly precludes any legal access to content," right? This is what we call the lawful intercept problem, right? 

Dave Bittner: Right, right. 

Joe Carrigan: So in other words, I want to be able to listen in on the conversation as a government person like I used to be able to do with phone calls. I could go out and get a wiretap warrant and listen to what bad guys were saying to each other or what people I thought were bad guys were saying to each other. 

Dave Bittner: Right. 

Joe Carrigan: The issue here is that these governments are looking for, essentially, a back door. So let's come up with a theoretical company, Dave. It's called Joe's Special Encryption Messenger, right? 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: And we'll call it SEM, Special Encryption Messenger - Joe's SEM. 

Dave Bittner: All right. 

Joe Carrigan: So let's say that Joe's SEM is an application that I developed that allows people to encrypt their communication end to end but also requires that it is applied with a key that I maintain so that I can, if necessary, read the messages, OK? 

Joe Carrigan: So first off, let's say that - let's look at the problems that creates. No. 1, let's look at the use case that the government believes will happen. The people can communicate privately until such time as the government goes, oh, we think these people are communicating illegal stuff. And they always talk about the four horsemen of the infopocalypse. These are software pirates, organized crime, child abuse image purveyors and terrorists. These are what they say. We need to watch out for these guys 'cause these guys are bad. And nobody says these guys are good guys, right? 

Dave Bittner: Right. 

Joe Carrigan: That's kind of why they... 

Dave Bittner: We're all in agreement. 

Joe Carrigan: Right. 

Dave Bittner: All those things are bad, yes. 

Joe Carrigan: We're all in agreement these are horrible people. And... 

Dave Bittner: Right, right. 

Joe Carrigan: ...So the government comes to me and says, hey, Joe. We noticed that this bad guy is using your communication thing. Give us the information between this bad guy and this bad guy. And I can do that, right? All right, well, that's fine. That's a lawful intercept in the U.S. 

Joe Carrigan: But what if my messages are being sent or the - my app is being used in a country like Iran or in a country like North Korea or in a country like maybe even China, where they do a lot of surveillance of their people? And the government comes to me and says, hey, Joe, we noticed these guys are participating in an illegal activity. Now, this is not something like software piracy, organized crime, child sexual exploitation images or terrorism. This is just dissidence, what we would look at in America as being something that would be perfectly lawful. How do I know... 

Dave Bittner: Right. 

Joe Carrigan: Now I have to make the decision of whether or not I want to help this government or that government. I think that puts an undue burden on me. There's actually no mention in this article about what kind of protections these governments are offering to companies in these countries. That's issue No. 1. 

Joe Carrigan: Issue No. 2 is, what happens if my key gets loose, right? This is just another surface area - right? - another point of attack. Now somebody knows that I have the keys that can decrypt all the communication. I'm going to become a big target. They're going to - if they get that information, if they get that key, that private key that encrypts all the traffic, then they're going to have access to it, or even if they just get a collection, they're still going to have access to all the communication. 

Joe Carrigan: And, finally, my other big point is while I say I might trust the U.S. government now for lawful intercept purposes, that doesn't necessarily mean I trust them in the future and in perpetuity, right? 

Dave Bittner: Yeah. 

Joe Carrigan: That's a - future-proofing the communication - the security of the communication is very important. And people need to realize that the world is dynamic. Things change. 

Dave Bittner: Yeah. It's interesting to me that they're still coming at this. 

Joe Carrigan: Right. 

Dave Bittner: They've added a couple of new countries who've joined in - Japan and India. 

Joe Carrigan: Yep. 

Dave Bittner: And so it seems to me like it's almost - it's a PR effort here, where they're - rather than saying - and they point this out in the article. Rather than saying, do something or else... 

Joe Carrigan: Yep, absolutely. 

Dave Bittner: ...They're saying, hey, rather than us coming up with a solution, we would really love it if you tech companies would come up with a solution to this. Be our pals. Be our friends. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: It smacks me like they're waiting for something to happen, and then they're going to say, if only the tech companies had let us see the information, we could've prevented this. 

Dave Bittner: Yeah, yeah. All right, well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's everywhere you want to be. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.