The CyberWire Daily Podcast 1.8.21
Ep 1245 | 1.8.21

The Solorigate cyberespionage campaign and sensitive corporate data. The cybersecurity implications of physical access during the Capitol Hill riot. Ransomware’s successful business model.


Dave Bittner: Solorigate and its effects on sensitive corporate information. The D.C. riots show the cybersecurity consequences of brute physical access to systems. A North Korean APT resurfaces with the RokRat Trojan. Ransomware remains very lucrative, and why? Because people continue to pay up. Thomas Etheridge from CrowdStrike on the role of outside counsel in the incident response process. Our guest is Larry Lunetta from Aruba HPE on how enterprises can bolster security in the era of hybrid work environments. And a criminal hacker gets 12 years in U.S. federal prison.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 8, 2021.

Dave Bittner: The US Justice Department has confirmed that it was among the organizations affected by the Solorigate incident. BleepingComputer tallies the number of compromised DOJ email accounts and comes up with about 3,400 mailboxes, roughly 3% of all the mailboxes in the department's networks.

Dave Bittner: KrebsOnSecurity says that the Administrative Office of the US Courts, in its own efforts to clean up after Solorigate, is particularly concerned about its case management, electronic case files system which holds sensitive and often sealed court documents. That system appears to have been hit hard by the cyberespionage campaign.

Dave Bittner: Bloomberg Law points out that much of that sensitive information involves corporate data. Those data include highly sensitive competitive and financial information and trade secrets, including companies, sales figures, contracts and product plans. Such matters are often addressed in court documents. The material could, include attorneys cited by Bloomberg Law say, quote, "Everything from the algorithms ERISA providers use to evaluate investments to pharmaceutical companies' formulations and chemical processes could be exposed via court documents. Whatever insider information has been improperly accessed could be used to manipulate securities markets and benefit foreign competitors," end quote.

Dave Bittner: Even assuming the Solorigate operators are Russian state espionage services, members of the large and active Huggy Bear family, the compromise of such information not only offers opportunities for disruption of an adversary's economic activity but the chance for a lucrative APT side hustle as well.

Dave Bittner: The rioting on Capitol Hill has left a cybersecurity mess in its wake. TechCrunch, while observing that classified material of the sort handled by various committees ought to be and probably is maintained on a separate, secure network, says that the physical access rioters had to ordinary IT systems was extensive. Forbes quotes experts to the effect that Congress should consider its devices and networks compromised and rebuild them accordingly.

Dave Bittner: Some of the first steps in remediating the goons' romp through the Capitol offices are now being taken. Politico reporter Eric Geller tweeted a message from the chief administrative officer of the US House of Representatives who yesterday issued guidance on recovering systems affected by Wednesday's riot. She said that while there was no evidence that House networks had been compromised, all offices should account for IT equipment and seek assistance if they find any missing. They should regard any device that may have been accessed during the riots as potentially compromised. And of course, they should change passwords on next login for any systems that may have been exposed to unauthorized access.

Dave Bittner: For the rest of us, an after-action review of the rioting should remind us of the threat that brute physical access to devices poses. There's theft of equipment, of course, and there's the simple, obvious problem of people just looking at the stuff - emails, documents, presentations and so on - that's left open to inspection by users fleeing their workstations in haste. It's like a massive shoulder surfing, or maybe the worst evil maid attack imaginable. It would seem that planning shouldn't overlook such things as device inventories, control of removable media, device encryption, easy locking of screens and so on, and, of course, fundamental physical security itself.

Dave Bittner: There are, of course, other things going on besides Solorigate and disorder in D.C. ZDNet reports a renewed campaign by North Korea's APT37, also known as StarCruft and Reaper, that's deploying the RokRat Trojan against targets of interest, for the most part South Korean. The infection vector has been compromised Hangul Office documents. RokRat has been seen before, but researchers at security firm Malwarebytes draw particular attention to the use being made in the current round of infections of self-decoding VBA Office files. That's been seen before, but it represents a new approach for APT37, Malwarebytes thinks.

Dave Bittner: How much money is there to be made in ransomware? A lot, a report published today by the security companies Advanced Intelligence and HYAS concludes. They've looked into the crooks' wallets, specifically at 61 deposit addresses attributed to Ryuk ransomware affiliates which are used to launder their bitcoin through alt-coin exchanges. The two exchanges most commonly used appear to be Huobi and Binance, both of which, the researchers say, claim to comply with international financial laws and express a willingness in principle to cooperate with investigations. In any case, the security companies say, quote, "after tracing bitcoin transactions for the known addresses attributable to Ryuk, the authors estimate that the criminal enterprise may be worth more than $150,000,000," end quote.

Dave Bittner: Two interesting side notes. The crooks are all business. They're quite indifferent to the mission or resources of their victims except insofar as that might affect their ability to pay. Sleazy chop shop or altruistic friend of the poor, it matters not at all to the criminals once they've got you.

Dave Bittner: But there is some discrimination in choice of target that's based entirely on ability and willingness to pay. Potential victims are graded with a score on their performance during preparatory attacks. As the report puts it, quote, "The precursor malware families that generally lead to Ryuk are used to create a score for the victim so that the operators will know how lucrative a target might be. For example, the number of domain trusts is one significant indicator that is collected automatically by precursor malware that is observed prior to a Ryuk incident. This score is then used to identify victim networks that would be the most likely to pay a large ransom," end quote.

Dave Bittner: Ransomware continues to be profitable because people keep paying the ransom. One example of this comes from Delaware County, Pennsylvania, which paid its extortionists, the Delaware County Times reports. It's not entirely clear how much the county paid, but reports suggest that the total may have been as much as half a million dollars. Most of that is believed to have been covered by insurance, with the county government on the hook for a $25,000 deductible. It will take a while before incentives align in ways that discourage ransomware attempts.

Dave Bittner: One criminal hacker, a Russian national who in September of 2019 copped a guilty plea to stealing information on more than 100,000 US consumers from a baker's dozen or so of companies, has now received his sentence. A US federal court has awarded Andrei Tyurin a 12-year sabbatical with the Bureau of Prisons. Mr. Tyurin targeted mostly financial institutions, brokerages and financial news outlets. Some 80 million of his victims were culled from JPMorgan alone.

Dave Bittner: Mr. Tyurin was convicted of offenses related to computer intrusion, wire fraud, bank fraud and illegal online gambling, the AP reports. Working from his home in Moscow, Mr. Tyurin is said by federal prosecutors to have taken in around $19 million. In extenuation and mitigation, he claimed to have only actually received $5 million, none of which was actually stolen, the rest having gone to a collaborator who apparently stiffed him of the remainder. Actually, $5 million seems like a lot to us, and we're vague on how his acquisition of it didn't constitute some form of theft. But then we're not lawyers, so perhaps some of the nuance escapes us. In any case, Mr. Tyurin told the judge in a letter that he feels "terribly ashamed" of what he did and that he's concluded he'd "chosen a wrong path in life." Repent at leisure, sir.

Dave Bittner: My guest today is Larry Lunetta. He is the vice president of solutions product marketing at Aruba. They are a Hewlett Packard Enterprise Company. Larry, welcome to the CyberWire.

Larry Lunetta: Nice to be here. Thank you.

Dave Bittner: So today, we want to talk about this notion about improving security as we find ourselves in the midst of this era of what you describe as a hybrid work environment and that it's really more than just kind of firing up that VPN and thinking that you have everything covered there. But let's start with just some sort of basic stuff here. Can you give us a little bit of the lay of the land? Where do we find ourselves today?

Larry Lunetta: Well, obviously, the pandemic has dramatically changed how we all work and connect to IT assets - right? - which is essential to our work style and success of the organization. And, you know, clearly, what's happened is we've all almost instantaneously become remote workers. And what that's done is not only put pressure on accessing IT resources and connectivity; it's introduced a significant amount of security risk. And the reason for that is that most of us, unless you're lucky and have some special equipment, are connecting via a simple VPN. And that connection, while encrypted, really needs a lot more security wrapped around it to protect the individual and the organization.

Dave Bittner: What sort of things do you have in mind here? What's the additional security that you're recommending?

Larry Lunetta: Basically, the idea is that instead of trying to use how you connect to the network to dictate your security and what you're allowed to access, you use your identity and the identity of the user and the device associated with that user and assign a policy. And the value of this is an organization that's already doing that when the user's in the office or, say, pre-COVID can use the same policies when that user is connected, remotely. So no changes have to take place, no reconfigurations, no changing of rules. And you get the same control for a remote worker as you do when that person's in the office. So identity is very, very important - authentication, then policy and authorization, and then finally enforcement. And that's where the network comes in. And you want to be able to enforce those policies naturally and without interruption, using infrastructure built into the network, such as embedded firewalls and things like that.

Dave Bittner: And is this - what we're discussing referred to as the zero trust mindset?

Larry Lunetta: That's correct, you know? Zero trust started almost 10 years ago. And the philosophy is, as I said, what you are entitled to access and your security position is not dictated or assigned based on how you connect. It's who you are and what permissions the organization wants to grant you. And the value of this is instead of using VLANs - which can spiral out of control very quickly and become unmanageable - you use, again, identity as the talisman for access. And that can follow, now, that individual, whether they connect in the office, whether they connect remotely, whether they connect wireless or wired. Doesn't matter. The policies still apply.

Dave Bittner: What are your recommendations for folks who are looking to explore this? I mean, how do they - what's the best way to get started?

Larry Lunetta: I think having an architecture or a philosophy is very important. And I mentioned zero trust. There's also another framework called secure access at the service edge, or SASE, that incorporates cloud services and security that's delivered - associated with things like SD-WAN. But know what they are because they're good guideposts and guidelines. They're not necessarily prescriptions or solutions, but it'll suggest a path that an organization can take. And you can kind of benchmark yourself where you fit in these frameworks and what the priority might be in terms of next steps. So it's important to look at this. And it's a bit of a cliche, but I think it's true to look at this as a journey, you know? No one buys a set of products and instantaneously is a hundred percent conforming with zero trust or SASE. But what you want to do is look at how you're moving workloads to the cloud. Are you using things like SD-WAN? And then think about how you want to organize your security based on that.

Dave Bittner: Larry Lunetta is the vice president of solutions product marketing at Aruba. Larry, thanks so much for taking the time for us today. 

Larry Lunetta: Delighted to be here. Thanks for the time. 

Dave Bittner:  Don't forget. We have extended versions of many of our CyberWire interviews as part of CyberWire Pro. You can find out more about that on our website And I'm pleased to be joined once again by Thomas Etheridge. He's the senior vice president for services at CrowdStrike. Tom, it's always great to have you back. I wanted to touch today on when it comes to incident response, the role of outside counsel in that process. What sort of things can you share with us today? 

Thomas Etheridge: Thanks, David. Appreciate being on again. One of the reasons we partner with outside counsel is there's the concept of attorney-client privilege. It is designed to protect confidential communication between attorneys and their clients. And the work-product doctrine precludes disclosure of many of these materials created at the direction of counsel specifically in preparation for a litigation. So when an organization is compromised and they're looking to ensure that the risk to their business is protected and that they are able to manage the communications effectively between stakeholders, business partners, their insurance provider, those communications are typically best handled under privilege. And working with outside counsel is a great vehicle to do that. 

Dave Bittner:  And what is kind of the pecking order here? I mean, where - you know, where does outside counsel sit in terms of, you know, leading things or collaborating? How does that all play out? 

Thomas Etheridge: So when we're engaged, underprivileged through outside counsel, outside counsel actually controls and leads the investigative path. They leverage the technical expertise of incident response firms such as CrowdStrike and our expertise in doing forensics investigation and this type of analysis. All communications, all coordination of the scope of the investigation, the expected path for communicating findings from the investigation is all typically managed through outside counsel. And that's in order to maintain privilege and also to maintain the integrity of the investigation from a scope and from a communications perspective. 

Dave Bittner:  And how do you make sure that - I don't know - things don't get bogged down, you know? When you have a lot of different - I guess I'm thinking of that old notion of having, you know, too many cooks in the kitchen. How do you maintain that communications is happening, you know, quickly, efficiently? When you're in the midst of an incident, I imagine, you know, that's hard to do. 

Thomas Etheridge: It is but one of the great things about working with outside counsel, especially experienced counsel, is that we typically set the ground rules for who's involved in the investigation, what the scope of the investigation is and what the escalation path is going to be, how often we will share information and communicate status and coordinate the investigation at the very beginning of an incident response investigation. So a lot of that framework is laid out in advance of all the work being done. And this is something that we do with outside counsel regularly. 

Dave Bittner:  And I guess this is also one of those kind of, you know, you-practice-like-you-play sort of things, that better to have all of these things laid out ahead of time and have your playbook ready so when incident response kicks in, you're not making a lot of these decisions while you're in the middle of a crisis. 

Thomas Etheridge: Exactly. And - exactly, if you ask me. 

Dave Bittner:  Well said (laughter). 

Thomas Etheridge: Yeah - no, I mean, that - we do see a lot more maturity in terms of organizations running tabletop exercises, having documented policies and playbooks for handling incidents. One of the trends that we reported on a little last year was an increase in the number of organizations that are starting to include outside counsel on the concept of privilege in their tabletop exercises and in their policies and playbook. So although the practice is there, the expansion of that practice to include stakeholders such as outside counsel is starting to rise in engagements that we're involved in. 

Dave Bittner:  Interesting. All right. Well, Thomas Etheridge, thanks for joining us. 

Thomas Etheridge: Thank you, Dave. 

Dave Bittner:  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. We'll save you time and keep you informed. Savor these precious things. Listen for us on your Alexa smart speaker, too. Don't forget to check out "Research Saturday" and my conversation with Shimon Oren from Deep Instinct. We're going to be talking about why Emotet's latest wave is harder to catch than ever before. That's Research Saturday. Do check it out. 

Dave Bittner:  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.