The CyberWire Daily Podcast 12.23.20
Ep 1240 | 12.23.20

Cozy Bear: quiet and patient. Counting the costs of cyberespionage. Iranian influence campaign sought to inspire post-US-election violence.


Dave Bittner: Cozy Bear lived up to its reputation for quiet patience. Counting the cost of the SVR cyberespionage campaign. What do intelligence services do with all that data they collect? An Iranian influence campaign sought to foment US postelection violence. Joe Carrigan looks at social engineering aimed at domain registrars. Our guest is John Worrall from ZeroNorth on the importance of security champions. And a last look ahead at 2021.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 23, 2020. 

Dave Bittner: Security firm Check Point has published an interesting account of the SVR's Sunburst operation against SolarWinds' Orion, with particular attention to the campaign's evasiveness, which they found effective. The researchers call it the art of tactical retreat and see similarities to the ways in which malware goes quiet to avoid being exposed in a sandbox. It's also more reason to regard Cozy Bear as the quietest and most patient of all Huggy Bear's big brood. Fancy Bear - noisy and impatient. Cozy Bear is just right. 

Dave Bittner: It will prove difficult to arrive at an accurate accounting of the damage and exposure associated with the SVR's successful cyberespionage campaign against US targets. Recall that among Cozy Bear's take were a number of FireEye red-teaming tools. Security company Qualys says it's found more than 7 1/2 million vulnerabilities associated with those tools among its customer base. And remember; none of the stuff taken from FireEye was a zero-day. Knowing one's own networks is a challenge, evidently, of Delphic proportions. 

Dave Bittner: Those curious about what an intelligence service might do with all the information they collect will find Foreign Policy's history of Chinese exploitation of its take of US data instructive. Beijing's big espionage success was its penetration of the Office of Personnel Management and its use of the data it extracted to roll up the CIA's human agents collecting against China. The damage to US intelligence was severe - the human cost, heartbreaking. 

Dave Bittner: Whatever the SVR has obtained from its quiet, months-long shuffle through American networks via SolarWinds' Orion platform and other points of entry, it's likely to amount to a great deal more than what Beijing got from OPM. With this in mind, a Council on Foreign Relations essay argues that US defensive and significantly offensive cyber capabilities remain under-resourced. 

Dave Bittner: The Washington Post has an unpleasant story about an information campaign Iran mounted earlier this month. The FBI says Tehran was behind an online effort to incite violence against officials in the US who publicly attested to the integrity of the November elections. 

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency has released a draft of the National Cybersecurity and Protection System Cloud Interface Reference Architecture. It will be open for comment until January 29. 

Dave Bittner: We don't want to bury the lede, really, but we'd like to wrap this last regular daily podcast of 2020 with a final look through the glass and darkly into 2021. By consensus, in 2021, expect more pandemic stress. Expect remote work to become so deeply ingrained that it will be hard for many to imagine returning to their old workplace. And expect the Bears to snuffle here, there and everywhere. 

Dave Bittner: When investors look at the coming year, what trends are they alert for in cybersecurity? We asked Yoav Leitersdorf of YL Ventures what he thought the coming year would bring and how that would affect what investors would be looking for. In large part, he sees investors looking to the most pressing needs enterprises will face. Quote, "we see hackers exploiting new work-from-home vulnerabilities with attacks focused on supply chains, hospitals, insider data exfiltration, cloud apps and code. Investors will continue to look for technologies that address these specific markets or close remaining gaps in cybersecurity, like XDR, which brings AI to threat detection and response and works across endpoints, networks and cloud. But what is emerging now is to use security as a business enabler by moving it downstream to the code with DevOps-ready tools for developers to build in security for authorization, data protection and access. Also, looking outward, software-as-a-service app security is more important than ever and still presents interesting opportunities, as well as cybersecurity management platforms to help address the operational complexity of cybersecurity programs. Enterprises across the board are allocating significant resources towards software development. This widening attack surface is driving demand for solutions that can help security shift left, implementing security measures directly into the software development lifecycle. Application security is increasingly being owned by developers, leading to the need for security solutions tailored for those internal users," end quote. 

Dave Bittner: So customer demand will tend to flag investor interest. The massive and successful penetration of US government networks by Russia's SVR has already had an effect on investment in the sector. Bloomberg notes that the incident has extended a moderate bull run in cybersecurity stocks, with analysts seeing an increase in security spending that augurs a powerful and long-term demand tailwind for the sector. 

Dave Bittner: So finally, what do we wish for as we arrive at the last issue of our ninth year of publication? To all people of goodwill, we wish that all will be well and that all manner of things will be well. But since goodwill isn't universal, we have a few more specific wishes. To CISA, we wish all success in mopping up the US government's networks after the SVR hack. To the FBI, we wish many good collars of bad actors. And to NSA and US Cyber Command, we wish, above all, good hunting. Bring home lots of virtual Bear skins in 2021. Oh, and while you're at it, throw in some digital Panda pelts, and maybe some Kitten fur as well. We know you've got it in you. But in the meantime, may all manner of things be well, and we'll see you in the New Year. 

Dave Bittner: Application security, automation and orchestration platform provider ZeroNorth recently commissioned a survey exploring the notion of security champions within organizations and how they may serve as a bridge between security and DevOps teams. John Worrall is CEO at ZeroNorth. 

John Worrall: We look at the AppSec market and how it's evolving with DevOps. You know, you dig in not too far, and you find these security champions in a lot of organizations. And to us, they're really the linchpin of how well security and DevOps can actually work together. We did a survey about six or eight weeks ago. Ponemon Institute conducted a survey for us about this cultural divide between security and between the DevOps teams. And it's frightening in many ways. No one really understands who owns what when it comes to cybersecurity and applications. People don't actually like working with each other. The DevOps team doesn't like working with security, and vice versa. 

Dave Bittner: Do you have any sense for what is at the root of that divide? Where did it begin? 

John Worrall: I think it began with just the historical cultures of each organization. Quite honestly, the DevOps team, the whole development model has evolved to be so fast, so quick, so modern. And the AppSec market is really stuck in the same model it was using 15 years ago, which is, if you're going to secure code, you have to run a tool and look at the results, and then go chase down the results and fix it. The challenge with a tool-based model is that it is very slow. And the benefit of DevOps is it's very fast. So you have this major conflict between organizations that are just approaching this from a different perspective from their historical - you know, historical basis. 

Dave Bittner: So when we're talking about security champions, what are we talking about here? How do you define that? 

John Worrall: So in many organizations, there is someone who works for the chief information security officer. And it's a centralized corporate function, and they are basically embedded with DevOps teams. And their goal is to help the DevOps team do a better job of shipping secure applications. It can start with simply understanding what applications are in planning so that they can start participating in meetings about how to architect the code in a secure way, how to make sure the developers are trained properly on security for that particular application and how to look at policy for the application. And does this application have PII? Does it have health care data? And what's the level of security or governance standards that we want to put on this application? 

John Worrall: They also play a critical role when vulnerabilities are found through tools of really trying to understand which vulnerabilities matter. And this is one of the challenges where we're kind of sending these champions into a gunfight with a knife. And they're really not armed well to take advantage of that because there are just so many vulnerabilities coming out of these tools. But they try to interpret those results for the developers to say, you know what? This one looks like it's really important. Fix this one first. We'll let these others go for now - very manual, very labor intensive. But they're there with the developers trying to help them figure out, you know, how to best prioritize the vulnerabilities. And at some point, they're part of the team that says, yes, we could ship this or no, we can't ship this. 

Dave Bittner: Well, give me some insights there. I mean, what sort of tools are available in order to automate these processes, and what are the benefits that come from that? 

John Worrall: So instead of having different people run tools, having developers kickoff scans when they're checking in code, that can happen automatically. Developers don't have to worry about - security teams don't have to worry about it. In modern DevOps pipelines, you're going to see between four, five, six, even nine different tools being run from a security point of view on that pipeline. And instead of having all the results from these multiple tools manually correlated, that's automated through a platform - so again, saves a lot of time and a lot of labor. 

John Worrall: What's most valuable is that when you can start automating the scanning process, you can start finding vulnerabilities much sooner in the software development life cycle than if you are relying on manual processes. And you know, we know this from the quality days of Toyota back in the 1970s with car manufacturing. It's, like, a thousand times more expensive to fix the defect in the car after it's left the lot as opposed to fixing it right then and there on the assembly line. And the same cost model applies here. I think some of the data we've seen is if you - if it costs you a hundred dollars to fix it while a developer still has his hands on the code before it's even gone to the repository, it's 15 times once it goes through QA, and it's 100 times more expensive once it's actually out in the wild. And when you think about those costs, there is a very, very significant productivity increase in development that is here. This is not security. This is just productivity and development by having security automated and orchestrated throughout the pipeline. 

Dave Bittner: That's John Worrall from ZeroNorth. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hey, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story came by - this is over on ZDNet, and the title is GoDaddy staff fall prey to social engineering scam in cryptocurrency exchange attack wave. What's going on here, Joe? 

Joe Carrigan: So what has happened is these attackers have said to themselves, you know, we spend a lot of time impersonating domains. What would be a better way to do this? What if we actually got control of the actual domains for a cryptocurrency exchange? 

Dave Bittner: But, Joe, I have my domain locked. 

Joe Carrigan: Well... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...That's a good point, Dave. Maybe we can find a way to unlock it by calling up your registrar and telling them that we need to unlock it for a transfer or something and make some changes to it. And that's what happened here. These guys effectively - for a very short period of time, thankfully - lost control or had some changes made to their DNS records. They think that people - their customers - were phished. They think - they know in one case they had some internal email accounts compromised. They were able to stop any - nobody lost any cryptocurrency is the end of the story here, which is good, right? These guys realize what's going on. This - these two exchanges - one of them is called Liquid, and the other one is called NiceHash. I'm not really familiar with either one of these exchanges, but they were both able to prevent anybody from getting further access and then reaching out to GoDaddy and saying, hey, why did you guys make these changes? And GoDaddy was like, oh, we will undo those immediately. 

Dave Bittner: So the cryptocurrency exchanges had their own systems in place to alert them to changes, I suppose... 

Joe Carrigan: It would seem so, yeah. 

Dave Bittner: ...At the domain level. Yeah. 

Joe Carrigan: They knew about it pretty quickly. 

Dave Bittner: And that's what happened. 

Joe Carrigan: And the attackers were not able to get in. And one of these guys froze their wallet, so they couldn't make any - they couldn't even access the wallets. So the currency was safe. You know, imagine being a customer of that exchange, and all of a sudden, they say our wallets are frozen right now. We can't do any transactions. You're like, I have... 

Dave Bittner: Right (laughter). 

Joe Carrigan: ...So much money here. 

Dave Bittner: Is this a scam? Is this - yeah. Yeah. 

Joe Carrigan: Right. That was probably a very harrowing 24 hours for a lot of people. But everything's back to normal now, so we can all breathe a sigh of relief, especially if you own - if you hold cryptocurrency on one of these exchanges. 

Dave Bittner: Yeah. And, you know, from the social engineering aspect of it, it's - this seems to me to be a tough one to contend with because... 

Joe Carrigan: Yeah. 

Dave Bittner: ...You know, you can have multi-factor for your accounts. But there's always that human side, where if you can get a human on the line at a place like GoDaddy and somehow appeal to them to (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, convince them that you are who you need to be for them to... 

Joe Carrigan: Yep. 

Dave Bittner: ...You know, just do me a favor here. I'm doing my best. Oh, that didn't work, you know? And these scammers - they know how to push those buttons. 

Joe Carrigan: Right. If they can get into GoDaddy and change the domain registration, then they can convince you that you, as the user of the exchange, that you're logging into the legitimate site. And then they can turn around and log into the other site - to the legitimate site somehow and - maybe via IP address. Then they can do whatever they want. I'm sure that was their vision here... 

Dave Bittner: Right. 

Joe Carrigan: ...To move the cryptocurrency out of these exchanges into their own wallets. 

Dave Bittner: Yeah. 

Joe Carrigan: Fortunately, that did not happen. But it is social engineering almost all the way down. 

Dave Bittner: Yeah. It's interesting because, you know, you and I over on "Hacking Humans," we talk all the time about, you know, being extra careful about checking to make sure that that domain name is legit. Well... 

Joe Carrigan: Right. 

Dave Bittner: ...What if it is legit? 

Joe Carrigan: Like, what if it is legit? Exactly. 

Dave Bittner: It's actually the domain, you know? (Laughter). 

Joe Carrigan: Right. 

Dave Bittner: Somebody compromises the registrar. 

Joe Carrigan: Yeah. If someone compromises a registrar like they did here, they - everybody's got a problem. But fortunately, these guys immediately realized what was going on in these two exchanges, and they rectified the situation and took the necessary actions internally to make sure their customers weren't damaged, which is great. 

Dave Bittner: Yeah. 

Joe Carrigan: They did a good job. 

Dave Bittner: I wonder if you're GoDaddy or one of the other companies that's in this line of business - how do you contend with this? How do you... 

Joe Carrigan: Process. It's all about process. 

Dave Bittner: Yeah? 

Joe Carrigan: Yeah. You have good processes in place. You know, you examine what the actual process is, and you don't let someone short-circuit that process. And you make sure that they follow it. 

Dave Bittner: Again, though, it's that human - hey, can you do me a favor? 

Joe Carrigan: Right, exactly. 

Dave Bittner: You know... 

Joe Carrigan: It's our desire to want to help people that gets us into so much trouble. 

Dave Bittner: Jeez, I'm going to lose my job if I don't get this worked out. You know, Joe, I - can you just - I know you're not supposed to do this, but can you just make an exception just for me? 

Joe Carrigan: Yeah, exactly. 

Dave Bittner: I'll bake you some cookies. 

Joe Carrigan: Yeah. Ooh, cookies, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right. Actually, I'm not really susceptible to that because my wife makes really good cookies. 

Dave Bittner: Ah. OK. All right. Well, we'll come up with something else. 

Joe Carrigan: Yes. 

Dave Bittner: All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed. There's no place like home for the holidays. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: This is our last daily podcast briefing for the year. We'll be taking a break over the holidays, and we'll return January 4. In the meantime, we'll be sharing highlights from past shows in our main CyberWire podcast feed, along with episodes of "CSO Perspectives," our CyberWire Pro-exclusive podcast hosted by Rick Howard. 

Dave Bittner: 2020 has been a heck of a year, and I'm sure I speak for many in saying I'll be glad to have it behind us. Despite the challenges, there have been a number of good things about 2020 - among them, for me, the opportunity to work with our growing team here at the CyberWire. Before we sign off for the year, a few words about them. First, my fellow podcast hosts and on-air partners, Joe Carrigan, Ben Yelin and Carole Theriault, bringing their personalities, insights and expertise to our shows. It's my pleasure to share the mic with all of you. Rick Howard joined us this year as chief analyst and chief security officer, as well as host of our "CSO Perspectives" podcast and our quarterly analyst webinars. And it's been great having access to the wealth of knowledge and experience he brings to our team. 

Dave Bittner: Our sales and client services team are Bennett Moe, Gina Johnson and Nick Veliky. They make sure our advertisers are happy and getting the value they expect from our shows. And they do it with integrity and professionalism. Our development team are Chris Russell and Puru Prakash, who not only keep our in-house content management system up and running with our endless list of feature requests, but this year also built our CyberWire Pro offerings - no small feat. Stefan Vaziri led the product development and management of CyberWire Pro. Jennifer Eiben and Kelsea Bond are producers for our shows, keeping the pipeline of guests and partners full while wrangling our editorial calendar. They also take care of our social media and events. Elliott Peltzman joined us this year as audio editor and has made all of our shows sound better than ever. He wrote us some kick-ass theme music, too. Our editorial team are Tim Nodar and our CyberWire editor-in-chief John Petrik, who gather the day's news and distill it into the newsletters and podcast scripts I have the distinct pleasure of reading and sharing with you every day. 

Dave Bittner: We're thankful for the team at DataTribe who provide us with invaluable guidance and mentoring as our scrappy little startup grows and, of course, all of our partners and sponsors, without which we could not do what we do, and all of you for listening. We truly appreciate that you find the work we all do here valuable and continue to support us. Last but not least, thanks to our CEO and executive editor Peter Kilpe, whose steadfast leadership has kept us on the right track despite the significant headwinds that 2020 threw at us. Being the boss is often a thankless job, and I know I speak for the entire team when I say how much we appreciate everything he does to support all of us every day. 

Dave Bittner: Have a safe, healthy, restful Christmas and holiday break, and we'll look forward to seeing all of you back here next year. On behalf of all of us here at the CyberWire, I'm Dave Bittner. Thanks for listening.