The CyberWire Daily Podcast 11.6.20
Ep 1210 | 11.6.20

IRGC domains taken down. A look at 2021’s threatscape. Russia says its didn’t do anything (others see Bears.) Forfeiture of Silk Road’s hitherto unaccounted for billion-plus dollars.


Dave Bittner: The U.S. Justice Department takes down 27 domains being used by Iran's Islamic Revolutionary Guard Corps. Booz Allen offers its take on the 2021 threatscape. Russia declares itself innocent of bad behavior in cyberspace, but many remain skeptical. Johannes Ullrich from SANS looks at supply chain risks and managed service providers. Our own Rick Howard speaks with WIRED's Andy Greenberg about the recent Sandworm indictments. Silk Road's mission billion dollars appear to have been found, and the U.S. government is working on a forfeiture action.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 6, 2020. The U.S. Department of Justice this week announced that it had taken down 27 domains Iran's Islamic Revolutionary Guard Corps had used to distribute propaganda and disinformation. Many of the domains represented themselves as belonging to legitimate news outlets, but all were determined to be run by the IRGC and to be illegally seeking to exert a covert influence on public opinion in the U.S. and elsewhere. The warrant cites violations of the International Emergency and Economic Powers Act and the Iranian Transactions and Sanctions Regulations. The Justice Department's announcement also notes that the IRGC's provisions of material support to Hezbollah, Hamas and the Taliban earned it a place on the Treasury Department's list of specially designated nationals. That, too, exposes the group to U.S. legal action. John C. Demers, assistant attorney general for national security, explained the rationale for the takedown as follows, quote, "as long as Iran's leaders are trying to destabilize the world through the state sponsorship of terrorism and the taking of hostages, we will continue to enforce U.S. sanctions and take other legal steps to counter them." 

Dave Bittner: Booz Allen Hamilton has published its expectations for the cyberthreat landscape in the coming year. They arrange their predictions on a novelistic armature, the efforts of a fictional CEO, Dakota Alexander, of a fictional Fortune 500 company to deal with a major cyber incident. The report opens much the way the Cyberspace Solarium Commission introduced its report with a fictional account of a Washington hellscape created by a massive attack on the Internet of things. The resemblance is not accidental. Both intros are by Peter Singer, political scientist turned novelist. Booz Allen sees eight main trends in cyberthreats. We might group them into three categories - the success-inspired, the pandemic-driven and the technologically enabled. The success-inspired trend will be marked by increased attention to and experimentation with various extortion and ransomware criminal business models. There are three pandemic-driven trends Booz Allen sees shaping the threat. First, both criminals and nation-states will devote more attention to attacking the delivery and shipping sectors. The increased importance of these businesses makes them high-value targets. Second, COVID-19 tracing apps and their supporting ecosystem present a new attack surface for criminals, spies and even lowlife trolls. Third, health care's shift to a remote delivery model is likely to be an enduring one, and criminals can be expected to go after telehealth systems, and remote health care monitoring devices will become more attractive targets. 

Dave Bittner: And finally, technological advance and cloud migration, artificial intelligence and 5G networks will also shape the way threat actors develop and service their targets. The first trend is the likelihood that cloud-based development environments will become a vector for supply chain attacks. Second, as artificial intelligence becomes more pervasive across industries, machine learning systems and methods will become high-payoff targets. Third, 5G networks will complicate the attack surface industrial control systems present and give attackers a fresh advantage over defenders. Finally, the general public availability of 5G will enable attackers to find and exploit vulnerabilities in their victim's mobile devices. Each threat trend is accompanied by a set of recommendations for managing the risk the trend presents. The report closes with three general recommendations - don't become distracted, be proactive to be resilient and have an incident response retainer in place. 

Dave Bittner: TASS is authorized to declare that, quote, "Russia keeps facing claims of its destructive behavior in cyberspace, which are groundless," end quote, and they have that straight from President Vladimir Putin. He's particularly miffed at reports of attempts to meddle with foreign elections. The rhetorical technique employed here is unlikely insistence. Quote, "there are continuing claims against us on our alleged hyperactivity in information space, meddling in elections and so on, which are absolutely unfounded," Mr. Putin said. And he repeated his calls for more cooperation with the U.S. on approving a comprehensive program for practical measures for resetting relations with Russia in using IT technologies. He also called for a full-scale, bilateral, regular interdepartmental dialogue on key issues of maintaining international security at a high level. 

Dave Bittner: Russia has indeed been quieter during recent elections in various countries than it was a few years ago, but quieter doesn't mean totally silent. Consider Reuters' recent Fancy Bear sighting and its account of GRU activities against some U.S. Democratic Party email accounts. And in any case, the Bears' lower profile is at least as likely attributable to their adversaries' deterrence by denial as it is to any putative Russian self-restraint. Some of the targets, Reuters says, include the Democrat-aligned Center for American Progress as well as the Indiana and California Democratic parties. 

Dave Bittner: There's no particular evidence of notable success in these campaigns, but then not all pawing gets the honey. 

Dave Bittner: The Silk Road online contraband criminal market was taken down seven years ago, its proprietor Ross Ulbricht now serving time in a U.S. federal prison. But the Silk Road legal story has continued. This week, the U.S. Justice Department filed a judicial forfeiture action seeking control over more than a billion dollars in bitcoin squirreled away in a crypto wallet associated with Silk Road. 

Dave Bittner: Someone, a hacker known only as Individual X, succeeded in exfiltrating a lot of alt-coin from Silk Road wallets. And as the price of bitcoin rose, so did Individual X's account. The Internal Revenue Service noticed. Treasury took the bitcoin, and now Justice is filing for forfeiture to bring some closure to the affair. So it appears, as WIRED observes, that justice may finally have an answer to its billion-dollar question - where did all the money go? 

Dave Bittner: If anyone needs a refresher on Silk Road and its celebrity impresarios, the online site Free Ross Ulbricht describes Mr. Ulbricht as an entrepreneur passionate about free markets and privacy, which is one way of looking at it. His hacker name, we recall, was the Dread Pirate Roberts, an homage to "The Princess Bride." The U.S. Justice Department's view of Mr. Ulbricht's career may be viewed at, and its decidedly less rosy than the free-marketing privacy hawk Free Ross describes. Silk Road trafficked a lot of drugs and made a great deal of money from it. 

Dave Bittner: And finally, our long period of uncertainty over leadership, over succession, and over the orderly transfer of authority seems finally to have reached a satisfying denouement. Major League Baseball has approved John Angelos as the successor to his father, Peter, as control person of the Baltimore Orioles. That is the executive responsible for the club as a whole. So take heart, Baltimore, and talk birdy to me. It's November, so let the hot stove leagues begin. 

Dave Bittner: Following the recent U.S. indictments of several Russian nationals associated with the Sandworm adversary group, our own chief analyst, Rick Howard, reached out to WIRED writer and author of the book "Sandworm" Andy Greenberg for his take on these developments. 

Rick Howard: Andy Greenberg is a senior writer for WIRED responsible for security, privacy and information freedom and author of the most excellent book, "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers." Welcome to the show, Andy. 

Andy Greenberg: Thank you, Rick. I'm glad to be here. 

Rick Howard: Now, we asked you to join us today because just this past Monday, 19 October 2020, the United States Department of Justice unsealed charges, including computer fraud and conspiracy, against six of the hackers who allegedly are part of the hacker crew behind the cyberoperations you so clearly articulated in your book. And we thought you might have some insight about what all this means. So thank you for doing the - kind of giving us a guidebook for how to understand all this stuff. 

Andy Greenberg: Yeah. Reading this indictment, to me, it's, like, very gratifying. In a way, it's kind of closure on years of tracking this group that - you know, at times, it felt like I was in a pretty small club of security researchers who even believed that this was one group that was carrying out all of these attacks. And now seeing, you know, six names and six faces being held accountable for this, it's like a nice coda to the story. 

Rick Howard: All right. So let's talk about that. Can you - maybe not everybody has read your book yet. And by the way, I highly recommend that they do. But can you give us a thumbnail sketch of what the book was about? And then we can talk about what the indictments mean. 

Andy Greenberg: Sandworm is a group of Russian hackers that since late 2015 or so have carried out what I think is - you know, you could say is the first full-blown cyberwar. Starting in Ukraine, they attacked pretty much every part of Ukrainian society with these data-destructive attacks that hits media and the private sector and government agencies and then, ultimately, the electric utilities, causing the first-ever blackouts triggered by cyberattacks. Sandworm hit Ukraine's power grid not once but twice in late 2015 and then again in late twenty sixteen. 

Andy Greenberg: And then finally, this Ukrainian cyber war that Sandworm was waging, essentially, in the middle of 2017 kind of exploded out to the rest of the world with this cyberattack called NotPetya, a piece of malware that - a worm, a self-propagating piece of fake ransomware that was actually just a destructive attack that spread from Ukraine to the rest of the world and took down a whole bunch of multinational companies, medical records systems in hospitals across the United States, and ultimately cost $10 billion in global damages, the worst cyberattack in history by a good measure. So the story of Sandworm is kind of a detective story about the security researchers, you know, across the private sector. I focus on a few different people who were kind of trying to track this group and figure out who they are and try to warn the world that this Ukrainian cyberwar was soon going to spill out and hit us, too. And then that is exactly what happened. And when that happens, the book kind of switches from a detective story to a disaster story. And I track the effects of NotPetya across the world as it kind of causes this wave of devastation. 

Rick Howard: So why the indictments now? 

Andy Greenberg: I can't say that I have a definitive answer. I mean, I've asked Justice Department officials if this is about the election. And they say no, that, you know, this is just how long it takes to really get the evidence of who was at the keyboard doing what and, you know, have the basis for an indictment that'll hold up in court, although it'll probably never really go to trial. These guys will never actually see the inside of a courtroom. But, you know, it's hard to imagine that there's not some sense of the election in the calculus here because we know that the GRU - another part of the GRU at least, APT28's Fancy Bear - Microsoft has already warned that they were targeting hundreds of organizations over the last year, trying to breach them, and that many of them were political consultancies and political campaigns associated with the election and that they were probably trying to do a kind of hack-and-leak operation, as they did in 2016. So it seems to me, like - I mean, maybe it wasn't even intended to, but I kind of guess that it was - that this indictment sends a message to the GRU that - cut it out. Like, if you were going to do something for this election, just remember we are going to catch you. We're going to hold you responsible, just as we did for these older attacks. 

Rick Howard: I know there's all that calculus, and it's easy for armchair cyberwarriors like you and me to, you know, take potshots at it. But is there anything you could say about that? Is there - you could see reasons why governments would be reluctant to call out the Russians on this? 

Andy Greenberg: Well, I think you're right. Like, it's - I am an armchair cyberwarrior at best. 

Rick Howard: (Laughter). 

Andy Greenberg: And, you know, I know that this stuff is is hard. And I really - you know, as I was saying, like, the criminal indictment is a remarkable document. And I'm amazed at the amount of work that clearly went into it. But I do think that, like, we have to hold our public officials accountable. And we have to hold them accountable to holding Russia accountable. It doesn't seem that hard to me to put together the forensic evidence that I could see that these attacks were carried out by Russia and make a public statement about that. I often use this "Lord Of The Rings" analogy - like, this ring is so powerful that, like, everybody wants it for themselves. And nobody wants to do the hard work of, you know, carrying it to Mount Doom and destroying it. 

Rick Howard: Oh, man, that is the best analogy I have ever heard. We've definitely seen the escalation of this idea of continuous low-level cyber conflict. In the early part of the decade. You know, it was minor annoyances, but the NotPetya and everything else after seems to be more significant. So, Andy Greenberg, thank you for being on the show. We - everybody go read his book. It's fantastic. Thanks for taking the time with us. 

Andy Greenberg: Thank you, Rick. This was a fun conversation. 

Dave Bittner: Our own Rick Howard speaking with "Sandworm" author Andy Greenberg. You can hear more of this interview on our website. It's part of CyberWire Pro. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute. He's also the host of the ISC StormCast podcast. Johannes, it's great to have you back. You and your team have been looking at supply chain risks, specifically when it comes to managed service providers, what sort of information do you have for us today? 

Johannes Ullrich: Yeah, this was really prompted by an event recently where one large managed service provider, Tyler Technologies, was breached. And we had some of their customers contact us because they found remote access tools installed on some of their systems. And of course, the big question was, are these tools that Tyler Technologies legitimately installed or, due to the breach - passwords and so were leaked - is this something that an attacker installed after breaching Tyler Technologies and retrieving these passwords from them? 

Dave Bittner: So how do you explore something like this? What path did you all go down? 

Johannes Ullrich: Yeah. So - of course, first, you look at what tool is being used. And now, the tool that was installed here, that remote access tool was by all means a commercial, legitimate tool. And then, of course, it gets even more tricky. Now, this is something that a managed service provider, you know, would certainly install on your systems because they do need that kind of access to your system. They need to be able to remote install, remote monitor and do all of these things, add to it. So what it really comes down to is what I was calling is the who's-watching-the-watchers here? 

Johannes Ullrich: You have these companies that are managing networks. Often, they to provide security functions for your network or various levels of service that you can purchase. But you need some kind of controls around how they're doing that, what they're doing. So you should have some communication channels set up where they will tell you, these are the kind of remote access tools we are going to install on your systems. In particular, if you are still retaining some security monitoring function, you need to know that in order to understand that this new communication you see in and out of your network is legitimate. That's due to this particular tool that the vendor installed. 

Dave Bittner: Yeah, I was going to say - I mean, it seems like that, really, it's not unreasonable to expect a high level of communication with these folks, especially if they're going to have intimate access to your network. 

Johannes Ullrich: Exactly. And that's a really important that you also monitor and based on this. You can't sort of totally relinquish control of your network. You need to still retain sort of some kind of monitoring, some kind of access value - like I said, you know, watch the watcher. You're checking up on them. And this is not necessarily an adversarial thing that you're doing. It's not that you don't trust them. It's just that you need to know who else is in your network but that managed service provider because an attacker managing your network, as we sometimes even call it, is probably acting very similar as this managed service provider. And you need to be able to tell the two apart. 

Dave Bittner: Well, in this particular case, how did things play out? What did you discover in the end? 

Johannes Ullrich: In the end, we discovered here that this was a legitimate install, apparently. But this actually is still somewhat in progress. I don't think we have a complete conclusion yet, in part because everything is still a little bit in flux here with this breach as well. 

Dave Bittner: All right. Well, word to the wise, for sure. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's the breakfast of champions. Listen for us on your Alexa smart speaker, too. Don't miss this weekend's Research Saturday episode. In my conversation with Craig Williams from Cisco Talos. We're going to be discussing PoetRAT, malware targeting the public and private sector in Azerbaijan. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.