The CyberWire Daily Podcast 12.22.20
Ep 1239 | 12.22.20

Bear tracks all over the US Government’s networks. Pandas and Kittens and Bears, oh my... Emotet’s back. Spyware litigation. A few predictions.


Dave Bittner: The US continues to count the cost of the SVR's successful cyberespionage campaign. Attribution and why it's the TTPs and not the org chart that matters. Emotet makes an unhappy holiday return. It seems unlikely that NSA and US Cyber Command will be separated in the immediate future. Big Tech objects in court to NSO Group and its Pegasus software. Ben Yelin looks at hyper-realistic masks designed to thwart facial recognition software. Our guest, Neal Dennis from Cyware, wonders if there really isn't a cybersecurity skills gap. And a quick look at some more predictions.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 22, 2020. 

Dave Bittner: The SVR cyberespionage reached an email system used by senior officials in the US Department of the Treasury, according to The New York Times. The compromise may not have reached classified networks, and the Treasury secretary's email is still thought to have gone uncompromised. Microsoft, and not any federal agency, detected the intrusion and warned Treasury. 

Dave Bittner: While SolarWinds has attracted most of the odium surrounding the incident, and while the company's Orion platform has clearly been exploited in a software supply chain compromise, Dark Reading reminds its readers that other avenues of approach through federated authentication systems were also used by the SVR. 

Dave Bittner: Some reports suggest that the SVR engaged in some cross-agency collaboration with the FSB, the other KGB descendant in the Russian intelligence community, but the situation remains under investigation. 

Dave Bittner: CNBC reports that US Attorney General Barr has joined his Cabinet colleague Secretary of State Pompeo in attributing the recent cyberespionage campaign that targeted SolarWinds users and others to Russian intelligence services. He said at a press conference yesterday that the operation certainly appears to be Moscow's work. 

Dave Bittner: Perhaps this is as good a time as any for an excursus on nouns, both common and proper. 

Dave Bittner: The common nouns first. The word attack has long been casually used for any hostile cyber activity - spying, stalking, theft, data breach, control system interference and so on. We've on occasion used it that way ourselves. 

Dave Bittner: But the Russian cyberespionage campaign the US is now glumly trying to contain, explain and mop up has prompted a number of writers to call for more precision and circumspection on calling something an attack. After all, espionage attempts, whether successful or unsuccessful, aren't usually called or even thought of as attacks, although they're clearly unwelcome and usually unfriendly. Similarly, disinformation of certain kinds, when it involves denunciation, for example, might be called an attack, but that's pretty clearly metaphorical. 

Dave Bittner: In any case, the current activity that's collected against the US government by exploiting the SolarWinds software supply chain and probably other federated authentication systems has been widely referred to as an attack. However, it's also prompted calls for various forms of retaliation, which has led some to suggest that attack be reserved for activity that's clearly destructive or at least disruptive, and disruptive in a kinetic sense. 

Dave Bittner: While the SVR operation against the US was clearly very serious - indeed, no one probably is yet sure how serious it will turn out to be - it also doesn't seem to amount to an act of war. Not the usual espionage, maybe, but the response won't be and shouldn't be Rangers, Marines and tomahawks. 

Dave Bittner: And now for the proper names. There appears to have been more than one SVR unit involved in the family of cyberespionage activities currently gumming up US networks. A great deal of the coverage, however, has attributed all of it to APT29 - that is, Cozy Bear. A number of threat intelligence types have objected to this. APT29 is a particular unit of the SVR, or perhaps even better, a specific operational style of the SVR. It's not, properly speaking, an organizational alias of the whole Russian Foreign Intelligence Service. 

Dave Bittner: This may seem pedantic, so much inside baseball, if baseball were played in Yasenevo or at the aquarium or around the Lubyanka. Who cares which numbered department of what chief directorate did it? Let the department heads save that for their annual reviews. 

Dave Bittner: Actually, however, it does matter. Defenders aren't so much interested in who the bad actors are. They're interested in what they do. Different threat groups use different TTPs - tactics, techniques and procedures - and the names are keyed to those. Whodunit is important, as they say, only if you carry a gun and wear a badge or, of course, if you're a journalist. 

Dave Bittner: So the operation that now requires the US government to demerde its networks isn't all down to APT29, a point made by people at Dragos and DomainTools, to take just two companies who work in this space. So it's the TTPs, not the org charts, that matter to the typical defender.

Dave Bittner: Now hold on just a minute, CyberWire, you'll say. You're one of the worst offenders with your liking for those animal names that people at CrowdStrike, among others, like to apply. What's up with that? It's always bears this and pandas that with you guys. 

Dave Bittner: What you say is profoundly true, and we asked our editor for an explanation. He argues that the infowar value of cute animal names outweighs any potential loss of clarity with respect to TTPs. The Russians absolutely hate - hate - being patronized as cuddly and adorable. And he points out that we've generally respected the naming conventions. If Cozy Bear was there, then they were there. And that doesn't exclude any other bears. 

Dave Bittner: But here's our way going forward of having our precision and eating the cuteness, too. Henceforth, we'll call any Russian threat actor Huggy Bear, which one of our stringers says is the only name her husband can remember anyway. 

Dave Bittner: We're open to suggestions on the rest of the Familiar Four. Pixie Panda seems like a good one for China, provisionally. Iran - how about Karen Kitten? And we draw a blank on North Korea. We have no idea what counts as cuteness there. So send in your suggestions. 

Dave Bittner: Mopping up after the SVR's cyberespionage campaign will be arduous. SecurityWeek quotes Bruce Schneier to the effect that the only way to ensure a network is secure after this kind of breach is to burn it down to the ground and rebuild it. 

Dave Bittner: Proofpoint yesterday tweeted that Emotet has returned, evidently in time to catch the tail end of the holiday shopping season. The gang has gone quiet for a short time before the holidays but is now back in action. Proofpoint says they're seeing 100,000-plus messages in English, German, Spanish, Italian and more. Lures use thread hijacking with Word attachments, password-protected zips and URLs. 

Dave Bittner: It's now thought unlikely, The Washington Post reports, that the long-contemplated, suddenly invoked separation of US Cyber Command from NSA will happen during the current administration's tenure. 

Dave Bittner: Microsoft complained last week that companies like NSO Group amounted to the 21st century equivalent of mercenaries. Yesterday, Redmond put its lawyers where its mouth is. Microsoft, Google, Cisco and Dell have joined Facebook's lawsuit against NSO Group, Reuters says. The companies filed an amicus brief with the US 9th Circuit yesterday. 

Dave Bittner: Before we close out the news, it's time for a quick review of the predictions we're seeing. 

Dave Bittner: Essentially everyone sees ransomware and remote work as trending up during 2021. What about cybersecurity firms considered as investments? Barron's says Cozy Bear's quiet, recently discovered but months-long romp through the US government and corporate networks has already led to a market scramble for cybersecurity plays. 

Dave Bittner: Market Insider reports that Wedbush is very bullish about the sector's 2021 prospects, expecting a general 20% increase in security spending to drive a perfect storm of demand that will be reflected in significant increases in the sector's valuations. 

Dave Bittner: Crunchbase thinks so, too - quote, "the cybersecurity market retained investor interest in 2020, and many in the sector expect next year to be no different," end quote. 

Dave Bittner: And how have past predictions fared? SecurityWeek looks back a decade at their Optimist's Cybercrime Predictions for 2011. The author thinks they were, in general, pretty well borne out. 

Dave Bittner: First, awareness is rising. Well, that's been true. And some of that awareness has prompted better security - quote, "cybersecurity budgets grow year over year, and the conversation today is about the need of having CISOs and CIOs as board members, which would have seemed in 2010 as science fiction," end quote. 

Dave Bittner: And there's been a rise in understanding of the attack surface the Internet of things presents. 

Dave Bittner: Greater awareness also seems responsible for the eclipse of hacktivism. It's been a long time since Anonymous, to take one prominent example, has been relevant. 

Dave Bittner: Next up, law enforcement is getting better. Better, of course, doesn't mean infallible, but it's difficult not to appreciate the growth in the attention, capabilities and resources law enforcement agencies have devoted to investigating, stopping and prosecuting cybercrime. They've also seen success in taking down online criminal markets, including Silk Road, Silk Road 2, AlphaBay, Hansa and Wall Street Market. 

Dave Bittner: Also on their list, it's getting harder to become a fraudster. This is the one prediction that hasn't been borne out. The criminals react, and the increasing commodification of attack tools, the growth of affiliate schemes, more sophisticated and plausible social engineering and the resilience of criminal-to-criminal markets, sometimes abetted by state actors, have combined to keep fraud thriving. So, as Meat Loaf would put it, two out of three ain't bad. 


Meat Loaf: (Singing) Now don't be sad 'cause two out of three ain't bad. 

Dave Bittner: Many lists of predictions for the coming year include the cybersecurity skills gap as a continuing issue for the industry, but is it? Neal Dennis is a senior intel analyst with Cyware, and he has his doubts. 

Neal Dennis: There's an unfortunate focus, I think, on how they approach the training and how they look at what they're doing with the people that they currently have on staff. 

Neal Dennis: We do see an uptick. So to be fair, before I go down this rabbit hole, there is an uptick in companies that are understanding that they need to help with this supposed gap, right? There's a decent amount of people coming online that know they need to take the time to train, provide for and hopefully maintain their current staff instead of having them leave every six months and having to find new people. 

Neal Dennis: But that being said, the vast majority, if they have anything, it's - at the most, it might be a tuition reimbursement kind of concept. And it doesn't really give that person, who's spending 45-plus, maybe 60 hours a week in that security environment, already overworked - it doesn't provide for them with the actual support to go out and take advantage of that fund, right? 

Neal Dennis: They make them take their own time off. They make them - you know, under the old auspice, if you really want to do it, you'll show interest and utilize your own personal time to make yourself better for the company. And maybe 15, 20 years ago, that was a good way to do it. 

Neal Dennis: But with how exhausting and how overworked these people are to begin with, those two weeks of PTO they might get are going to be spent on actual PTO. Only a very small group of people are going to go home after being burnt out all day and pick up a computer and go read on how to be better at that role. 

Neal Dennis: It's just a lot of people get in, especially in a SOC environment. They see it. They want to be done with it when they go home, play some video games, maybe have too many things to drink and be done. 

Dave Bittner: (Laughter) What about sort of looking within - you know, that you might have folks in other areas of your company who already know the company culture, they may know all the players? It seems to me like they'd be good candidates to cross-train, and you could get them up to speed maybe quickly. 

Neal Dennis: Oh, definitely. And we kind of see this a little bit with, like, IT staff - like, the actual cable pullers and the install guys who come to your - you know, put your desktop in and run cables and do the network engineering stuff. But you kind of see a little bit of that where those individuals kind of try to cross-train in. Some companies support that to varying degrees. But from a cultural perspective, that's a great point. 

Neal Dennis: There's an unintentional barrier, I think, around perception that cybersecurity as a whole is something hard to get into. And in reality, the right persona - and it doesn't take a whole lot. For a couple of grand that the company could put out there for someone to go get something as basic as, like, Security+. And for a couple of grand in a week, you could take someone who was sitting in accounting and have them now be able to come in in a kind of junior/almost intern perception role into the cybersecurity ward. 

Neal Dennis: And so long as you continue to invest in that person and pay attention to the fact that they're new, they're going to need some coaching, some coaching in through all this stuff, you can have some really good home-grown people in your org come over to the cybersecurity side of the house. 

Neal Dennis: We have to break down those barriers to entry. We have to break down the walls and the perception that this is hard to do and just, you know, put a couple of bucks out there on the table and help motivate your team to do this. 

Dave Bittner: That's Neal Dennis from Cyware. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast. Ben, great to talk to you. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: This is an interesting one from Reuters. And the title of the article is "Wearing Someone Else's Face: Hyper-Realistic Masks To Go On Sale In Japan," of course. Describe to us what's going on here. 

Ben Yelin: So first of all, you have to - anybody listening to this has to actually go to the article and see the pictures here. 

Dave Bittner: Yes. 

Ben Yelin: These masks are incredibly creepy in how realistic they are in terms of portraying somebody else's face. 

Ben Yelin: So this is just kind of an entrepreneur, owner of a mask shop. His name is Shuhei Okawara. And he is crafting masks that are based off real persons' faces. 

Dave Bittner: Yup. 

Ben Yelin: They're intended to provide the same sort of protection as a standard mask to protect against COVID. It's, you know, quite an addition to the type of mask entrepreneurship that we've seen over the past nine months. 

Ben Yelin: These are not going to be cheap. To purchase one of these hyper-realistic masks, you would have to pay 98,000 yen, which is not as much as it seems. It's about $950. 

Dave Bittner: Still... 

Ben Yelin: It's still a very hefty price for a mask, yeah. I was able to get, you know, six masks for $5 at the convenience store, so. 

Dave Bittner: Right, right. But the point of these is... 

Ben Yelin: The point of these is that you can disguise yourself and make yourself into a different person entirely. And that's why the demand for these masks so far has been surprisingly strong. 

Ben Yelin: What's interesting in our context is how would this work with something like facial recognition? 

Dave Bittner: Right. 

Ben Yelin: What I want to know is, is Mr. Okawara good enough at crafting these masks that it could trick a facial recognition system? 

Dave Bittner: Yeah. 

Ben Yelin: Having seen these pictures, my prediction is yes, he probably could. But I am not entirely sure about that. 

Dave Bittner: Yeah, yeah. I mean, these are - so what he did was he chose a model, and he paid the model to use their likeness to make these hype - this hyper-realistic mask. And now he's made several different versions since his initial one. 

Dave Bittner: So the interesting thing here is if I'm walking down the street and I have this mask on that, as we say, is a hyper-realistic version of that model, am I going to get tagged as that person while I'm walking down the street? Is it realistic enough? And, boy, it's hard to think that it's not. 

Ben Yelin: Yeah. I mean, it's one of those things where you have to see it to believe it. But if you look at the pictures, I mean, just the finite details in terms of, like, facial marks, freckles, like, the sculpting and shape of the eyebrows and the nose... 

Dave Bittner: Right. 

Ben Yelin: Like, it's something that is, you know, to be honest, going to give me nightmares in terms of how realistic it is. 

Dave Bittner: But you know what? I mean, you and I have talked about this on "Caveat" and maybe here, and this was certainly in the pre-pandemic days, about whether or not it's legal to simply walk down the street wearing a mask or not. And it's not always - pre-COVID, it was not always legal to walk down the street wearing a mask to hide your identity. 

Ben Yelin: No, it's not. I mean, I don't think this is something where there's - A, it's not going to be a broad problem because, you know, even in Japan, we're still talking about a limited number of these masks that are getting sold, although demand is particularly high. 

Dave Bittner: Right. 

Ben Yelin: So, yeah, there are some regulations and laws about concealing yourself in public. 

Ben Yelin: I'm curious as to as facial recognition develops and becomes more accurate, whether we're going to have laws that prevent this type of behavior where the purpose of a face covering is to disguise your facial features to evade detection from a facial recognition system. So you have to add sort of a criminal intent requirement to that type of statute, where you are actually purposefully changing the contours of your face to avoid detection. And maybe this is kind of the first salvo in that battle. 

Dave Bittner: Yeah, I don't know. I mean, talk about your slippery slope here 'cause, you know, what if I wear loose-fitting clothes to hide my physique, or what if I wear uncomfortable shoes to hide my gait? You know, what if I put on a false mustache or beard or a wig or, you know - like, you could see... 

Ben Yelin: A Groucho Marx... 

Dave Bittner: Right. 

Ben Yelin: ...Eyeglasses and mustache, yeah. 

Dave Bittner: But if you start - yeah. If you start legislating - and, yes, I suppose putting a facial covering on that looks like a different person is a little different than those things. But is it? Is it really? I guess what we're getting - the root of what we're talking about here is, is it within our right to try to protect our privacy against automated facial recognition scanning, right? That's the crux of the question. 

Ben Yelin: Yeah, it is. And - I don't know - I think the slippery slope is a problem to the extent that I don't know that we can properly answer that question at this point... 

Dave Bittner: Yeah. 

Ben Yelin: ...Because, as you say, you know, these masks are highly accurate, disturbingly accurate. But if you start to outlaw masks like this, you know, what happens to less accurate disguises or somebody who likes to put on a lot of makeup that, you know, might conceal some of their facial features... 

Dave Bittner: Right, right. 

Ben Yelin: ...You know, or face coverings in a non-COVID era for people who just want to protect themselves from the cold or something? 

Dave Bittner: Yeah. I walk around in my stormtrooper helmet, you know? 

Ben Yelin: I mean, we've been known to do that. 

Dave Bittner: (Laughter). 

Ben Yelin: So, yeah. I mean, I don't think we're at the point yet where we're going to start to criminalize this type of behavior, probably because of these exact reasons. 

Dave Bittner: Yeah, yeah. All right, well, it's an interesting development. One of those - it's one of those fun stories that I think leads to some more interesting issues and conversations. So for that, I'm thankful for this coverage. 

Ben Yelin: Absolutely. And make sure you check out these pictures because they're a sight to be seen. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It saves you time and keeps you informed. Don't delay; apply today. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.