The CyberWire Daily Podcast 11.3.20
Ep 1207 | 11.3.20

Election security updates from CISA. Maze says it’s out of business (and never really existed). Edward Snowden wants dual Russian-US citizenship. A botmaster goes up river.


Dave Bittner: Notes on Election Day security from CISA. The Maze gang finally releases its press release announcing that it's going out of business. Mr. Snowden applies for dual Russian-American citizenship. Ben Yelin shares his thoughts on Mark Zuckerberg's recent Senate testimony. Our guest is Karlo Zanki from Reversing Labs on Hidden Cobra. And a botmaster gets eight years after copying a U.S. federal guilty plea to conspiracy.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 3, 2020. 

Dave Bittner: Today, of course, is Election Day in the U.S. Have you voted? We have, and of course, it's inevitable that the big story be cybersecurity and the election. The U.S. Cybersecurity and Infrastructure Security Agency is holding a series of media briefings throughout the day to pass on information about election security. A senior CIA official characterized the briefings as part of the agency's attempt to be as transparent as possible. 

Dave Bittner: The good news is that there really don't seem to be any major cybersecurity risks actively surfacing during today's voting. Iran and Russia have done a little bit of American cage-rattling but nothing too serious or even particularly convincing. During the first call at 9 a.m. Eastern Standard Time, CISA made a few general points. The U.S. has learned a lot about election security since 2016, and CISA believes it's put what it's learned to good use at the federal, state and local levels. 

Dave Bittner: The threat landscape has been encumbered by Iranian groups and, to a lesser extent, Russian actors. But their activities have been neither especially intense nor notably effective. Iran has been the more active of the two, but Tehran's disinformation efforts - threatening emails and some online video - were recognized and attributed within 27 hours. Russian efforts have been similarly ineffective and have so far been notably less intense than what was seen to emerge from Iran. 

Dave Bittner: There's no evidence that any threat actor has succeeded in altering voter information. CISA officials made this point several times. Much voter information is readily and freely accessible without the need for any nefarious data theft. CISA was concerned to explain that this didn't mean voter or voting data had been changed or corrupted. A senior CISA official said, quote, "elections are messy. Technology fails, and we're already seeing some resilience in the process," end quote. 

Dave Bittner: CISA expects technical problems in some of the thousands of polling places across the U.S., but these are expected to be part of the usual noise and not the result of cyberattacks. The most probable cyberattacks, should any develop, are from the familiar Iranian playbook - website defacement, distributed denial of service and wiper attacks. At the time of the briefing, CISA hadn't seen any pop up so far today. 

Dave Bittner: CISA strongly recommends using its rumor control site, which you'll find at It's being updated as necessary, a senior CISA official said. We're treating today as if it's halftime. Since foreign cyber activity is largely taking the form of disinformation and since the goal of such disinformation appears to be the erosion of confidence in the elections, CISA expects to remain on high alert until all votes are counted and certified in January. 

Dave Bittner: Turning to crime - well, to crime reporting, that is; we're not shoplifting or throwing rocks at cars or anything like that, but we trust you knew that. Turning to crime news, you'll recall that last week, BleepingComputer reported that the Maze ransomware gang was ceasing operation. At the time, Maze refused to confirm that it was going out of business, telling BleepingComputer that it should wait for the press release. 

Dave Bittner: Well, the release is out. Maze is going out of business, and HackRead has their press release. They're out of business, they say, and you should regard any future communiques, blog posts, emails and so on that purport to be from Maze as a scam. And besides, they say, they never really were in business after all. It's just clueless media hype and a bunch of hogwash put about by government tools. They were good guys, practically Robin Hoods - yeah, that's the ticket - just out to expose businesses' careless opsec practices. 

Dave Bittner: Their press release is composed in such fluent shadow speak that it would be a shame not to quote a little bit of it. Quote, "our world is sinking in the recklessness and indifference, the laziness and the stupidity," a contention we note that's basically been true since that talking snake offered what's-her-name some discount fruit. Anyway, the Mazers go on, if you are taking the responsibility for other people money and personal data, then try to keep it secure. And, as they say, the Maze cartel was never exist and is not existing now. It can be found only inside the heads of journalists who wrote about it. 

Dave Bittner: So there. Actually, while it may well be the case that the Maze gang - unusually nasty innovators in the field of ransomware - may be going, going and possibly gone, it's unlikely that the individual goons who worked in the crew will be downing tools. Look for them to hang out a new shingle either together or as independents. 

Dave Bittner: Edward Snowden tweets that he's applied for Russian citizenship. He explains that he's doing so for family reasons. He and his wife, Lindsay Mills, are expecting their first child, and they don't wish to risk the possibility of separation. Mr. Snowden says he will hold dual Russia-U.S. citizenship. He hopes to raise his child as an American and to return one day to the United States. 

Dave Bittner: And finally, a word from the courthouse - Aleksandr Brovko, identified as both a Russian national and as formerly of the Czech Republic, has been sentenced to eight years in prison for his role in trafficking and monetizing botnets. Mr. Brovko in February pled guilty to conspiracy to commit bank and wire fraud. The U.S. Department of Justice says that in the aggregate, Brovko's botnets are thought to have cost victims more than $100 million. We wish him a tranquil sabbatical at Club Fed. 

Dave Bittner: Karlo Zanki is a reverse engineer from ReversingLabs, and he and his team recently published the results of their look at Hidden Cobra. He joins us with their findings. 

Karlo Zanki: Yeah, Hidden Cobra, also known as Lazarus Group, has been active for around 10 years. So generally, they are well-known. It's believed they are sponsored by North Korean government. They are known for several campaigns, probably the most - best known by Sony Pictures hacking campaign. And they're involved in WannaCry (ph) incidents, also several bank stealing information, cryptocurrency, stealing campaigns and different stuff. 

Karlo Zanki: They tried to gain financial benefits or to go rearrange (ph) or different stuff. They are known to often recompile their tools to highly customized malware used on different targets. And they also use the tools, but with different infrastructure of such stuff. It is often not easy to detect new variants because they change their samples to avoid antivirus detection. 

Karlo Zanki: And when we talk, let's say, about some non-state-sponsored actors, they release big campaigns targeting a large number of people and hoping that big numbers will go into their favor. Let's say you send a email campaign to millions of people using same samples and hope that 10% of that million targets would get infected by your malware. And non-state-sponsored actors are often happy with that result. 

Karlo Zanki: State-sponsored actors like Hidden Cobra often don't go for such a high number of campaigns but focus their tools on smaller, more valuable targets and do more adapting of the solution for that target. And it's not easy to protect from such attacks when you have small clues that could help you detect those threats like IP addresses, domains and such stuff. 

Karlo Zanki: At this moment, they are quite active in cyberspace. Over the last 10 years, they conducted several campaigns, did quite a lot of damage during that - those campaigns. And we believe that they could be interesting to general research community and potential targets in the industry and government institutions. And we believe our correct (ph) research could give additional bonus knowledge which help protect from these predators. 

Dave Bittner: That's Karlo Zanki from ReversingLabs. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: You and I recently - over on "Caveat," we were talking about how the big folks from the big social media companies - your Zuckerbergs, your Jack Dorseys - were put in front of Congress to testify. And Mark Zuckerberg's testimony gathered some attention here. I'll quote him talking about Section 230. 

Dave Bittner: He said, "Section 230 made it possible for every major internet service to be built and ensured important values like free expression and openness were part of how platforms operate. Changing it is a significant decision. However, I believe Congress should update the law to make sure it's working as intended." 

Dave Bittner: This gathered a lot of commentary from both directions, but I think there are plenty of people out there who are cynically saying that Mr. Zuckerberg is arguing in his own interest that changing Section 230 would have some business advantages for him. What are your thoughts here, Ben? 

Ben Yelin: Sure. So just to refresh, Section 230 generally provides immunity from the Twitters, the Facebooks, the Googles of the world from liability. So any service that is an interactive computer service who publishes information from third-party users is shielded from legal liability. And that's - that shield from legal liability has allowed these companies to flourish. They can't be held liable for their content moderation decisions. So, you know, it's allowed Facebook and Twitter to experiment with their own content moderation, to allow free expression to flourish, but also give them latitude to make decisions as to how to restrict their own platforms. 

Ben Yelin: We've seen this cause a good deal of political controversy from both the political left and the political right, but largely for different reasons. So on the political right, you see a lot of complaints that social media companies are biased against conservative viewpoints. And from their perspective, Facebook and Twitter and other companies censor conservative articles, conservative commentary at a far more robust pace than they do commentary from the left. 

Ben Yelin: What the social media companies would say is, we try and make politically neutral judgments on content moderation. Whatever article you see has been removed or, you know, we've limited shares on, it's because it's violated our terms of service. Either it's, you know, misinformation, abusive, et cetera. 

Ben Yelin: The political left thinks that Section 230 gives too much latitude to these companies. They think that these companies aren't doing enough to protect against misinformation, particularly as it's related to election interference and for abuse, et cetera. 

Ben Yelin: So you have this bipartisan coalition of skeptics against Section 230, and I think that's really important to understand - that context is really important to understand when evaluating Zuckerberg's opening statement. I think saying that he's amenable to getting rid of Section 230 is a way to ingratiate himself to members of both political parties. 

Dave Bittner: (Laughter) I know you - all of you don't like me equally. 

Ben Yelin: Exactly. Exactly. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: So what if I said this one thing where you hate me slightly less after I give this opening statement? And, yeah, I mean, he knows he's been much maligned by, you know, the most conservative United States senators and the most liberal United States senators. So I think this is a strategic move on his part. 

Ben Yelin: The other element of this, which you mentioned, is he has Facebook's bottom line in mind when coming up with this opening statement. Facebook, as he says in his statement, greatly benefited from the protections of Section 230. It allowed them to flourish. It allowed them to make their own content moderation decisions. 

Ben Yelin: So now that Facebook has nearly 100% of the market share for their type of service, for him to remove that liability shield from himself but also from other potential competitors is, to me, really, an anti-competitive practice that's seeking to protect Facebook's place in the market. And I think that would be the cynical look at what Zuckerberg's motivations are here. 

Dave Bittner: Yeah. I was looking at one take on it over on the Techdirt website. Mike Masnick wrote - he said, make no mistake about it; this is Mark Zuckerberg pulling up the innovation ladder he climbed behind him. 

Ben Yelin: Absolutely. It reminds me of that old "Simpsons" GIF where Homer Simpson drives over the bridge, and then once he's over the bridge, he sets it on fire so nobody else can cross it. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: So, yeah, I mean, I think this is an instance of protecting your incumbent advantage as, you know, the Goliath of social media giants. And I also think it's really interesting that Zuckerberg is saying this, but so far we haven't seen the other people who are testifying at this committee hearing, like Jack Dorsey, come out in support of some sort of Section 230 regulation. So far, it's been unique to Zuckerberg. 

Ben Yelin: I'll also say - you know, one thing I'm also skeptical of is he offers a critique of Section 230. And he says, I think to ingratiate himself to politicians, that he's amenable to changes. But he doesn't really suggest what those changes would be. 

Ben Yelin: If you are too strict, if you remove that liability and allow the Facebooks of the world to get sued on the basis of their content moderation decisions, then these companies are going to be extremely conservative about what they allow on their platforms. And it's going to start to look more like broadcast news where, you know, NBC, CBS and ABC aren't going to put controversial content on their network because they know that they could be fined by the FCC. 

Ben Yelin: But then if you, you know, go too far in the other direction and you're too - you know, you're too lax in terms of content moderation, you could be allowing for the massive spread of disinformation, of abuse. So, you know, if you're going to offer a critique of Section 230, which he does here, I think it's incumbent upon him to offer some sort of policy solution. That's just not something that I've seen. 

Dave Bittner: Yeah. Yeah, it smacks of - please don't throw me in the briar patch. 

Ben Yelin: Yeah, exactly. And I can understand. And, I mean, it's intimidating, even if it's via Zoom, to be grilled by a congressional committee. But, yeah, I mean, I do think we have to look at this a little bit cynically and realize the unique motivations that Zuckerberg has in these circumstances. 

Dave Bittner: Yeah. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cyber security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. That's a spicy meatball. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.