The CyberWire Daily Podcast 6.21.16
Ep 125 | 6.21.16

DNC hack looks like Russia's work, but Guccifer 2.0 still says no. (Nyet?)


Dave Bittner: [00:00:03:06] FireEye sees better Chinese international citizenship in cyberspace, at least with respect to the US. CrowdStrike is joined by Mandiant and Fidelis in attributing the DNC hack to Russian actors. Motherboard interviews "Guccifer 2.0", whoever he may be. A bad Santa delivers ransomware to his naughty list. Researchers find real and apparent phishbait. The US General Services Administration moves to facilitate cyber contracting. The US secret service wants cyber triage tools and it wants them pronto. Israel relaxes some cyber export controls. And Wassenaar reconvenes this week.

Dave Bittner: [00:00:42:09] I want to thank our sponsor, E8 Security, and remind you to visit to check out their free white paper, "Detect, Hunt, Respond." It's going to give you the information you need to deal with the unknown threats in your network, the threats no-one has ever seen before. E8 is going beyond legacy signature matching and human watch standing. They're hunting these unknown threats with machine learning and big data analytics. See what E8 has to say, download the free white paper at And as always, we appreciate E8 for sponsoring the CyberWire.

Dave Bittner: [00:01:26:22] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, June 21st, 2016. FireEye reports that the Sino-American cyber talks seem to be having good effect. The security company says that Chinese government cyber espionage directed at the United States appears to have fallen off dramatically. That's not the case elsewhere. Some of the Chinese espionage units formerly employed against American targets are showing up in campaigns directed at other countries, notably Russia, and other target sets, notably in the financial sector.

Dave Bittner: [00:01:57:20] Turning to the week's continuing big story, the successful hack of the Democratic National Committee, CrowdStrike is standing by its attribution of the incident to two Russian government actors, APT28 and APT29, in all likelihood the FSB and the GRU. Two other companies, Fidelis and FireEye's Mandiant unit, have investigated the evidence and reach essentially the same conclusion. The malicious code found in the attack is substantially similar to that used in other attacks by Russian actors. Against this conclusion, of course, are claims of responsibility by Guccifer 2.0, whom we can now refer to as "him." Someone representing himself as Guccifer 2.0 has been in touch with Motherboard. While many observers regard Guccifer 2.0 as a front for the Russian government, that's not so, the gentleman in question tells Motherboard. In fact, he not only doesn't work for a Russian intelligence service, he doesn't even like Russia. What he does like include, in no particular order, Gucci, Marcel Lazar, who's Guccifer 1.0, now in US custody, women, and the "freedom of minds." Guccifer 2.0's exchanges with Motherboard were conducted at least partially in Romanian, and Motherboard says the Romanian native speakers it consulted say 2.0's Romanian isn't really that good.

Dave Bittner: [00:03:13:06] 2.0 did claim his "heuristic algorithms" were too much for the DNC's security, that the Russian stuff in the stolen documents' metadata was his "personal watermark," that he "feared for his life," and that he wanted to "fight for the world without the Illuminati." Motherboard's tone throughout its account of the exchange strikes our staff as one of polite but open-minded skepticism. We did talk to someone with firsthand knowledge of the investigation, Fidelis Vice President of Cybersecurity Services, Mike Buratowski. Here’s his take on the affair.

Mike Buratowski: [00:03:46:06] Some of the stuff that really stood out to us was the complexity and almost grace, if you will, or the elegance of the malware that was there. Very complex, had substantial amount of information in there that your normal script taker or lowland hacker really wouldn't put in or take the time to really finesse if you will.

Dave Bittner: [00:04:09:06] So what about Guccifer 2.0, the online entity, claiming credit for the attack?

Mike Buratowski: [00:04:14:17] It's a little hard to say. I find it intriguing that this person just came on the scene shortly after. CrowdStrike reported on the actual malware so it kind of makes you wonder about the motivations. You know, that being said, when we do investigations, it's not uncommon for there to be multiple actors in a particular victimized company. You may trace it back to a particular stringed malware, particular point of entry. However, if you find multiple points of entry, then a lot of times the malicious actors don't even know that there's other bad guys in the victimized network.

Dave Bittner: [00:04:54:04] Guccifer 2.0 says that they are a lone wolf in this attack and that CrowdStrike's attribution to Russian intelligence agencies is incorrect. Buratowski and his team at Fidelis say, "Not so fast."

Mike Buratowski: [00:05:06:01] When you look at the totality of the circumstances, you're looking at the targeted victims, what information was stolen, what was done with the information after it was taken. And when you start doing that, it paints a picture of probability as to who the actor could be. And then something as simple as, "Well, how complex is the malware and would an average person or an average group have the capabilities to be that elegant if you will in their development of the malware?" And when you start putting all those things together, it then, in this particular case, it definitely points back to a state sponsored-actor, likely being a Russian actor. So again pointing to a specific agency, I, I don't-- there's nothing-- let me put it like this, there's nothing that would cause me to believe that CrowdStrike is incorrect, that's for sure.

Dave Bittner: [00:06:02:22] After the DNC's opposition research on Donald Trump was released, the head of the DNC announced that there was no personally identifiable information included in the hack which prompted Guccifer 2.0 to release personally identifiable information, in the form of donor information. Buratowski warns that there's a good chance there's still more to come.

Mike Buratowski: [00:06:22:08] Based on the complexity of the malware that was there, I think there's a fair possibility that there's a substantial amount of information that was taken. I think it's to be determined though I definitely would not be surprised if we see a lot more information come out as the campaigns progress.

Dave Bittner: [00:06:40:15] That's Mike Buratowski, he's senior VP of Cybersecurity Services at Fidelis. We also sat down with the CyberWire’s editor, John Petrik, for some perspective on false flags and attribution. We'll hear from him after the break.

Dave Bittner: [00:06:57:03] So ransomware continues its evolution. Ded Cryptor, an EDA2 strain, is out, as we've heard, courtesy, apparently, of the Russian cyber mob. Sophos Labs are reporting, through Dark Reading, that a new variety of Javascript ransomware, RAA, is out. It's a departure from the familiar extortion norm in that, being composed in Javascript, it doesn't depend upon the victims running a macro for infection. Phishing is, of course, a common way of distributing malware, ransomware and other malicious code. Apple users are currently being phished with a credential stealing malware packaged in an email alerting them to a "virus in the iTunes database." There is no such virus, but if you bite on the phishbait you may cough up your Apple ID. An email that looks like phishbait but is actually legitimate is circulating from LogMeIn, which is asking some customers to reset their passwords in the wake of the recent credential leaks from LinkedIn, MySpace, and others. See the accounts in Help Net Security and the Internet Storm Center for notes on what makes legitimate communication with customers look phishy.

Dave Bittner: [00:08:00:04] xDedic, the underground market that sold server time on compromised RDP servers, may be larger than initially believed. Kaspersky sees some evidence from data released on Pastebin that Canadian and German servers joined Brazil, China, the US, and the UK in the top ten. But these indicators await confirmation in further investigation. In industry news, the US General Services Administration's efforts to create a new special item number for cybersecurity products, an SIN, in its IT Schedule are being regarded skeptically by industry. The GSA's Schedules are designed to facilitate purchases of common products and services Government-wide, but some observers are dubious that the GSA will be able to keep pace with the rapid evolution of technology in the field.

Dave Bittner: [00:08:48:24] The US Secret Service wants a quick turnaround on its own solicitation for "cyber-triage tools." They want tools that can be rapidly deployed for network remediation. The Secret Service hopes to issue thirty awards in each of two pools, "single-user licenses" and "malware-scanning services." Contracts are expected to have one-year periods of performance.

Dave Bittner: [00:09:09:18] The Israeli government, whose Unit 8200 has incubated a number of security start-ups, has moved to relax some of its controls on cyber exports. Internationally, Wassenaar is back. Meetings resumed in Vienna yesterday on revising the controversial and, in the US delayed, cyber arms export control regime. This round of talks will conclude tomorrow. Another round of negotiations is scheduled for September, leading up to a planned December plenary session in which the parties hope to reach final agreement. And, finally, Guccifer 2.0, please feel free to come visit us. We promise there are no Illuminati here, not much Gucci, either, alas, but we hope you can overlook that. And when you come, will you bring Satoshi Nakamoto with you. We'll leave the light on.

Dave Bittner: [00:09:59:20] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:10:26:18] Joining me once again is John Petrik. He's the editor of the CyberWire. John, we're continuing to follow this story about the hacking into the DNC. How would you categorize this? Is this a, is this a false flag situation with the Russians or covert operations? How do we label this one?

John Petrik: [00:10:42:09] There are three companies that have been investigating this. CrowdStrike is the first and they've since been joined by Fidelis and Mandiant. CrowdStrike's conclusion, which has been echoed by the other two, is that the hack of the DNC is really a job by the Russian intelligence services, by both the FSB and GRU possibly. So people are wondering if this is so, because there's this guy calling himself, herself, themselves, Guccifer 2.0, that says, "It's me, I did it, I'm a lone hacker, I hacked the DNC for my own purposes, CrowdStrike doesn't know what they're talking about. There's no Russian involvement whatsoever." So other people have been saying, and CrowdStrike has suggested this too, is that Guccifer is a false flag. That is, Guccifer is really just a front for Russian intelligence services, that is for the FSB and the GRU. So what's a false flag? Literally, a false flag operation is when one country conducts some sort of combat operation or demonstration purporting to be members of another country, either a targeted country or an uninvolved country. It comes from the days of sail when you might raise somebody else's flag on your warship to deceive the quarry you're approaching. I don't know if this is really a false flag operation. It's a case of the assumption of a false identity, if that's what it turns out to be.

Dave Bittner: [00:12:12:05] Speaking of false identities, what are some examples of that? What are other false identities people assume?

John Petrik: [00:12:16:08] Well, some of it comes down to a form of branding or even criminal branding. There's-- for example, there's a new ransomware campaign that's come to light this week. It's being called DEDCryptor. That is roughly Russian for Grandpa Encryptor. And it's a riff on the Russian Santa Claus, they've got a bad Santa logo and everything associated with the ransomware that pops up on your screen. So because we're a family show, maybe it's worth saying this to any of the children who listen to us and [FOREIGN DIALOGUE] is still okay. Santa's okay. [FOREIGN DIALOGUE]

Dave Bittner: [00:12:58:10] Wow, John, your, your Russian's pretty good. People are gonna start to talk.

John Petrik: [00:13:02:21] [LAUGHS] You know, the GRU does have it's false flags.

Dave Bittner: [00:13:07:21] Okay, thanks for joining us, as always.

Dave Bittner: [00:13:09:07] And that's the CyberWire. Thanks to all of our sponsors for supporting the show. We hope you will check them out. That really does help us. The CyberWire is produced by Pratt Street Media. Our editor is John Petrik and I'm Dave Bittner. Thanks for listening.