The CyberWire Daily Podcast 1.5.21
Ep 1242 | 1.5.21

It’s not Kates and Vals over Ford Island, but it’s not just a tourist under diplomatic cover taking pictures of Battleship Row, either. Another APT side hustle? To delist or not to delist.


Dave Bittner: Hey, everybody. Dave here. As you know, we've been fortunate to have built a pretty influential audience over the years. Security leaders across the globe trust us and depend on us every day to deliver the news and analysis they need to do their jobs, and that's also why so many top security companies and hot startups trust us to connect them to the decision-makers and influencers to help get the word out about their brand and fill their sales funnels. We've got lots of great sponsorship opportunities that can help you get the word out, too. Just visit to learn more and connect with us. That's Thanks.

Dave Bittner: More assessments of the Solorigate affair, with a side trip to Pearl Harbor. Shareholders opened a class action suit against SolarWinds, but no signs of an enforcement action for speculated insider trading. Emissary Panda seems to be working an APT side hustle. Kevin Magee has insights from the Microsoft Digital Defense Report. Our guest is Jason Passwaters from Intel 471 with a look at the growing range of ransomware-as-a-service offerings and to-ing and fro-ing on Chinese telecoms at the New York Stock Exchange. 

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 5, 2021. 

Dave Bittner: Qualys offers a look at the backdoor installed in the Solorigate cyberespionage operation. They draw particular attention to the malware's evasiveness and use of domain generation algorithms. Their concluding assessment is about as gloomy as might be expected. Quote, "in the end, we can conclude that the techniques which the attackers have used in this breach are very sophisticated - supply chain compromise, data encoding, impair defenses and dynamic resolution, to name a few. Instead of doing major damage to the infected system, the attackers have focused on staying unnoticed from security products. In the coming days, we can expect to see widespread use of similar attacks," end quote. 

Dave Bittner: A ZDNet op-ed throws its hands up and declares the SolarWinds software supply chain cyberespionage campaign to be worse than imagined. Assessing just how bad it is would require more understanding of the incident and its effects than is now - publicly, at least - available, but consensus remains that it's pretty bad. Ironnet offers a set of expert takes on why this form of cyberespionage, more than an ordinary data breach, has the potential to serve as preparation for more serious attacks later. 

Dave Bittner: A lot of people continue to call this a "Cyber Pearl Harbor" or a "Cyber 9/11," but these metaphors still seem wayward. Thousands were killed at Pearl Harbor and on 9/11, but as far as anyone knows, there have been no physical casualties attributable to the SolarWinds hack. So it's probably best to reserve the Pearl Harbor talk until, heaven forfend, people are actually killed or injured on a large scale by a cyberattack. 

Dave Bittner: So why have intelligent observers been willing to talk about a cyber Pearl Harbor? In truth, this campaign is more worrisome than ordinary collection. The threat actors corrupted a software supply chain and quietly established persistent backdoors in organizations that use that supply chain. This makes it possible, perhaps even likely, that the effort amounts to battlespace preparation, the staging in cyberspace of capabilities that could be deployed in attacks having widespread effect, including kinetic effects. 

Dave Bittner: So it amounts to more than just knowing that USS Pennsylvania was in dry dock and that USS West Virginia, Oklahoma, Arizona, California, Maryland, Tennessee and Nevada were at their moorings on Battleship Row. But it's far less than the appearance over Oahu of Kates and Vals from the First Air Fleet - not yet a cyber Pearl Harbor but it's not just collection as usual, either. 

Dave Bittner: SolarWinds shareholders have filed a class action suit against the company, whose Orion software has been at the center of the eponymous cyberespionage incident. The plaintiffs allege, Fox Business reports, that the company misrepresented and failed to disclose information about the incident, and this amounted to failing its duty to disseminate accurate and truthful information. The harm is alleged to be first reputational, as both the company and its shareholders look bad, and second financial, as the suppression of bad news is alleged to have artificially inflated the company's stock. It was bound to come crashing back to Earth once the air was out of the balloon. 

Dave Bittner: The plaintiffs also allege that SolarWinds executives had actual knowledge of the material omissions and/or the falsity of the material statements and that, worse yet, they intended to deceive plaintiff and the other members of the class or, in the alternative, acted with reckless disregard for the truth when they failed to ascertain and disclose the true facts in the statements made by them or other SolarWinds personnel to members of the investing public. They're not asking for a specified amount but rather for reasonable costs and expenses incurred, like spending on legal counsel and various experts, as well as whatever additional relief the court should judge appropriate. SolarWinds hasn't, as far as we've seen, commented directly on the lawsuit, but its representatives are making the right pacifying noises about working with law enforcement and intelligence agencies to get to the bottom of the incident and about doing everything it can to identify, remediate and mitigate this sort of risk, including its effects on third parties. 

Dave Bittner: At the close of trading yesterday, SolarWinds shares were priced at $14.53, a 34% drop-off since the incident came to light. It's worth noting that the class action lawsuit against SolarWinds isn't about suspicion that company insiders traded to their advantage on nonpublic information. The plaintiffs assert that they were misled, that the company's valuation was artificially inflated, and that, had they had an accurate picture of the business, they wouldn't have bought the stock. Simply Wall Street observed back on November 19, well before the news of the cyberespionage came to public attention, that SolarWinds insiders had for some time been selling rather than buying shares. That's not at all criminal or even unseemly, but it's a data point outside investors find interesting. 

Dave Bittner: But one large sale in December did raise retrospective suspicions. Silver Lake and Thoma Bravo on December 7 sold some $315 million of SolarWinds stock to the Canada Pension Plan Investment Board. FireEye disclosed an incursion on December 8, and SolarWinds disclosed on December 14 that the company had been apprised of the incident. This raised eyebrows, as Axios reported on December 18, that some investors may have traded on nonpublic knowledge of the problem. SolarWinds denied this and was publicly backed by the CPPIB, so that story hasn't shown legs, at least not in the present lawsuit. 

Dave Bittner: Chinese threat actors may be involved in an APT side hustle. Researchers at Profero and Security Joes say they found Emissary Panda, the Chinese state-run threat group also known as APT27, conducting ransomware attacks. Their attribution is based on code similarities and TTPs, but they caution that all such attribution carries an inevitable degree of uncertainty. Most ransomware strains have by now evolved information-stealing capabilities, so the ongoing campaigns may represent a twofer - self-funding intelligence collection. The principal objective is intelligence collection, with any ransom representing so much gravy, perhaps to fund the operation or perhaps as an incentive to the operators running the campaign. 

Dave Bittner: The New York Stock Exchange's on-againoff-again delisting of three major Chinese telecommunications companies in response to U.S. sanctions has roiled the market for China Mobile, China Telecom and China Unicom shares. The Wall Street Journal reports that share prices fell between 3 and 6% in trading yesterday after news broke that the New York Stock Exchange would delist the three companies in compliance with a U.S. executive order blocking, on security grounds, Americans from investing in them. But late yesterday evening, the Exchange said it had reconsidered and, after consultation with various regulatory authorities, would continue to list the companies' shares. CNBC speculates that the NYSE is counting on the Biden administration to take a more irenic approach to Sino-American relations and, of course, the security implications of those regulations. 

Dave Bittner: The ransomware criminal marketplace continues to expand its offerings, and it's noteworthy that ransomware-as-a-service is a growing trend, providing the opportunity to do online crime to those who may not have the technical know-how to roll their own. The team at threat intelligence firm Intel 471 have been tracking the evolution of this trend. Jason Passwaters is chief operating officer and co-founder of Intel 471. 

Jason Passwaters: I think it just goes back to, you know, the days of Zeus and the kind of professionalization or the kind of productization, if you will, in the malware space. And, you know, as folks made more and more money, they saw the kind of, you know, the ROI there, and they've really kind of defined and matured a business model around it. And that's what you see today is a business model at play that has, you know, resiliency built in. It's got, you know, all kinds of stuff like support, everything you'd see in a typical business but obviously doing much more nefarious things. 

Dave Bittner: Well, let's walk through that business model together. I mean, suppose I'm someone who has my sights set on sending some ransomware out into the world, but I don't have the technical skills to do it. Where do I begin? 

Jason Passwaters: Yeah. I mean, there's - you know, you hear deep and dark web often. I don't really see it as deep and dark. It's a very well-organized marketplace, and it is really organized in a kind of a products, services and goods model, and then you have consumers, obviously. So first place you would look is, you know, in the marketplace. It's not every low-level threat actor can get involved into a ransomware affiliate right away, but they might start with, you know, doing kind of low-level, you know, hacks or selling of the accesses into different organizations or companies. And that might be their pivot point into the ransomware-as-a-service space. 

Dave Bittner: And who are some of the big players here that you're tracking in this space? 

Jason Passwaters: Yeah, so there's a lot of things popping up. We have a model for pretty much everything in the marketplace. Like I said, it's broken down into products, services and goods. So we have this model, a tiered kind of setup where if we're looking at a specific service or a specific product or some specialty or focus area in the marketplace, we break it down into tier one, two and three. You know, the big players are going to be, you know, your Egregor, your DoppelPaymer, Netwalker, REvil as well as the Ryuk and Conti side. 

Dave Bittner: So did you suspect that it - certainly in the short term, I suppose, that this model is here to stay? 

Jason Passwaters: I do. I do. I think the criminals, you know, have the ability to change faster, oftentimes, but, you know, that, I believe, is where the intel, the threat intel industry can kind of, you know, play a large role into keeping abreast of what's going on, keeping up with the adversary and then constantly making sure that their businesses are informed so they can make decisions to keep pace. 

Dave Bittner: That's Jason Passwaters from Intel 471. 

Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He's the chief security and compliance officer at Microsoft Canada. Kevin, it's great to have you back. I want to touch today on a report that you all recently put out. This is the Microsoft Digital Defense Report. First of all, let's start with some high-level stuff here. What prompted the creation of this report? 

Kevin Magee: I think, really, that the new reports are a reimagining of the Microsoft Security Intelligence Report called SIR that a lot of your listeners are probably familiar with because we've been publishing it since 2005. And the SIR report was really operationally focused, and this new iteration will be more focused on sort of strategic threat intelligence, you know, providing greater contributions across the company. We have 77 countries represented - so a truly global perspective and providing strategic threat intel that leaders really need to make better informed decisions. 

Dave Bittner: Well, let's go through it together. I mean, what are some of the things that caught your eye? 

Kevin Magee: Well, I think just from a high level, you know, regardless of what company you work for in the industry, we're all defenders, and we're all part of a larger community with a shared mission. And, you know, as defenders, we're better when we have a more complete view of the evolving techniques of a threat actor. So that's what we're really trying to provide in this report. And we've broken it into three areas that we found were most relevant to decision-makers, and that's cybercrime, nation-state threats, the current remote workforce, and then we include also some actionable learnings that we've taken from the reports. So not only can you read the report as a decision-maker, there's real, concrete things you can do to improve your security posture included in the report as well. 

Dave Bittner: Well, let's go through each of those categories together. Can you give us some highlights from each section? 

Kevin Magee: Yeah. I think in the cybercrime, the things that really jumped out at me that I like to discuss with nontechnical people, either policymakers or business leaders, is we're moving away from infrastructure-focused attacks to identity and applications. That's really what we need to be protecting now. We're also seeing cybercriminals follow the issues of the day. So we can literally map, you know, things that are happening in the news headlines to evolving tactics and how threat actors are changing, how they perceive attacks and how they administer attacks. And then finally, there's a human element that we're starting to see introduced into attacks now that's really changing how we defend and how we need to think about attacks. So we don't think about a Ryuk attack anymore. We're very focused on this sort of media-driven narrative of the attack that names it fun via the tool, and we're seeing a switch to more of a human-operated cyberattacks and cybercrime where at each point in the attack, a decision is made on how best to proceed next. So they're getting much more sophisticated. They're using multiple tools. And the best example I really use to think about this differently is, you know, we, for a long time, focused on deflecting the arrows. And now we have to start thinking about the archer, which is the threat actor, and how we can position our security posture and make better decisions based on the threat actors most likely to attack us rather than the actual tools they're using. 

Dave Bittner: Yeah, that's a really interesting analogy. What are you tracking on the nation state trends? 

Kevin Magee: Many of the trends, really, are - tracked similar with other organizations out there that are doing research work. But we're seeing a lot of overlap now. I think that's what our report really is - is the message we're trying to land in, that nation states are adopting a lot of the tactics that cybercriminals are using, and cybercriminals are actually evolving to the level where they're mounting attacks at the size and complexity of nation state actors. So you need to really start thinking about, again, not the tool that's going to attack you or preparing for defense posture that is on the ransomware of the day or whatnot as well. But really start to think with your business or your organization, you know, who are those threat actors, like, most likely to attack me, and how are they interacting, you know, with cybercriminal ecosystems that are providing them with the tools or with nation states, where they're emulating those type of attacks to evolve how they're really mounting their attacks on organizations. 

Dave Bittner: And then what were some of the other bits of information that you gathered here? What were some of the other highlights? 

Kevin Magee: So I think, again, we're seeing these attacks where cybercriminals are actively making decisions as they go. They're controlling each step of the attack based on the configurations and defenses they encounter in the network. So they'll do quite a bit of reconnaissance. They maybe use a opensource tool like MimiKatz to harvest credentials. Then based on the reconnaissance, they may use a different payload for ransomware or whatnot or a different tactic once they're in your network to maximize their leverage, to maximize their take or to maximize their political goal, whatever they're really attempting to do. So we're seeing attackers persist longer in your environment, really to gain that understanding, to conduct reconnaissance so that they can make the best decisions to achieve their outcomes. 

Dave Bittner: All right. Well, the report is the Microsoft Digital Defense Report. Kevin Magee, thanks for joining us. 

Kevin Magee: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed when you care enough to give the very best. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire Team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.