The CyberWire Daily Podcast 1.15.21
Ep 1250 | 1.15.21

Charming Kitten’s smishing and phishing. Solorigate updates. Supply chain attacks and the convergence of espionage and crime. Greed-bait. Ring patches bug. Best practices from NSA, CISA.


Dave Bittner: Well-constructed phishing and smishing are reported out of Tehran. Estimates of SolarWinds compromise insurance payouts. Notes from industry on the convergence of criminal and espionage TTPs. Social engineering hooks have been baited with greed. Ring patches a bug that could've exposed users' geolocation and their reports of crime. Advice on cyber best practices from CISA and NSA. Robert M. Lee has thoughts for the incoming Biden administration. Our guest is Sir David Omand, former director of GCHQ, on his book "How Spies Think: Ten Lessons in Intelligence." And an ethics officer is accused of cyberstalking.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 15, 2021. 

Dave Bittner: Iranian cyber campaigns have been overshadowed by the probably Russian Solorigate operations, but Charming Kitten was active over the holidays. ZDNet cites a CERTFA Labs report on Christmas- and New Year-themed phishing and smishing that appears to have enjoyed some success. The campaign represents the second time charming kitten has been able to hide behind legitimate Google URLs. 

Dave Bittner: CERTFA, which specializes in monitoring Tehran's online activities, says that the campaign was interested in members of think tanks, political research centers, university professors, journalists and environmental activists in the countries around the Persian Gulf, Europe and the U.S. 

Dave Bittner: The smishing aspects of the campaign used texts that represented themselves as Google account recovery messages. The text itself is idiomatic and plausible without the typographical or usage eccentricities that so often mark smishing. And the URL which the victim is invited to follow in order to confirm their identity also looks more legit than usual, given that it begins with the reassuring 

Dave Bittner: The phishing was comparably well-constructed and plausible. It was also more varied and, to some extent, tailored to cater to the probable interests and predispositions of the recipients. These emails generally communicated holiday greetings. 

Dave Bittner: Both the phishing and the smishing used redirect services, the better to bypass email security systems. The holiday campaign represented, CERTFA thinks, a continuation of earlier efforts. And charming kitten can be expected to remain comparably active and inventive in the coming months. 

Dave Bittner: As Solorigate remains under investigation, BitSight tells CRN that one aspect of the campaign, the supply chain attack that backdoored SolarWinds' Orion platform, could cost insurers some $90 million. If that seems low, consider that a large fraction of the most seriously affected victims were U.S. government agencies that normally don't carry cyber insurance. And also consider that the incident is still relatively new, with a great deal more investigation to be done. 

Dave Bittner: Intel 471 argues that Solorigate displays the continuing convergence of criminal techniques and cyber-espionage tactics. Supply chain attacks started as a technique in the cybercriminal underground and their utility in espionage is now also evident. 

Dave Bittner: Started in the cybercriminal underground is perhaps overstated. Supply chain attacks haven't been overlooked by intelligence agencies, as Intel 471 itself notes. 2016's NotPetya incident, in which software updates for the Ukrainian accounting software package MeDoc were compromised to spread malware that masqueraded as ransomware, was a software supply chain incident credibly attributed to Russian intelligence services. And there have been, over the past decade, numerous accounts of hardware supply chain poisoning, some of which have been partially confirmed, some debunked and others left undetermined. 

Dave Bittner: Again, as Intel 471 says, the tactics, techniques and procedures of a supply chain attack are attractive to both criminals and intelligence organs. There's another reason for the confluence. There appears to be an increasing tendency for governments to outsource development of some attack tools. That's attractive for a number of reasons, economy and deniability figuring prominently among them. 

Dave Bittner: Bitdefender describes a resurgence of the Remcos remote access Trojan, engaged, as rats so often are, in credential theft. In this case, Remcos used COVID-19 phishbait in its spam and concealed additional malicious payloads steganographically in popular viral images. The campaign also featured anti-reverse-engineering elements. Remcos has been out and making a nuisance of itself since 2017, at least. Bitdefender says the current ongoing surge began late last summer. 

Dave Bittner: Remcos has seen a good deal of use by criminals. In another example of the convergence of crimeware with spyware, it's also been used by APT33, thought to be run by Iran, and the Gorgon Group, which researchers have associated with both criminal gangs and Pakistani agencies. 

Dave Bittner: Coronavirus phishbait has also been used in large-scale business email compromise campaigns. Proofpoint reports that the lures generally appealed to greed rather than fear. Typical bait, with the act-now urgency that characterizes social engineering and business email compromise, dangles predictions of a coming, vaccine-driven, global economic boom, offering big profits to savvy early birds. Other bait suggests investment opportunities in distressed companies sure to turn profits post-turnaround or even the mundane notice about a vaccine-related shipment. 

Dave Bittner: Ring, the smart doorbell unicorn acquired by Amazon, says that it's fixed a privacy issue with its Nextdoor neighborhood watch functionality. TechCrunch reports that hidden geolocation data and message metadata could have been exposed via a bug that enabled those who knew where to look to retrieve the data. The vulnerability was worrisome in that it could have exposed the locations of the homes of those who, for example, reported crimes. 

Dave Bittner: US federal agencies and, by implication, those in the private sector who do business with them have been given two more bits of guidance on sound practice. The Cybersecurity and Infrastructure Security Agency has recommended using ad-blockers and taking other steps to secure browsers as a means of protecting against malvertising. 

Dave Bittner: CISA's advice comes in three parts. First, standardize and secure web browsers according to leading practices. This reduces attack surfaces, simplifies monitoring and makes both configuration and patch management easier. Next, use ad-blockers. This not only reduces the risk of malvertising itself and attendant malicious redirects, but cuts the risk of unauthorized data collection and improves client-side performance. And finally, isolate browsers from operating systems, with many attendant gains in security, flexibility and efficiency. 

Dave Bittner: NSA has warned against regarding DNS-over-HTTPS, known by the acronym DOH, as a security panacea. ZDNet says that the bottom line of NSA's advice is for organizations to host their own DOH resolvers and avoid sending DNS traffic to third parties. 

Dave Bittner: And finally, there's a cyberstalking case in Florida. Threatpost reports that the former ethics officer for the city of Tallahassee has been arrested and charged with cyberstalking a former inamorato who also worked for the city. The arrest was made Monday, and the judge has ordered her to stay away from the sometime object of her affections and also to keep off the internet until her trial is over. The former ethics officer who had been responsible for, among other things, training Tallahassee civil servants and office holders in, well, ethics should be considered innocent of the misdemeanor until proven guilty. Still, one is tempted to think, physician, heal thyself. 

Dave Bittner: Sir David Omand is visiting professor at King's College London and former director of GCHQ, the UK government's intelligence and security organization. He's author of the recently published book "How Spies Think: Ten Lessons in Intelligence." Sir David Omand, thank you for joining us. 

David Omand: It's a pleasure. 

Dave Bittner: Well, let's begin with the book here. What prompted you to write the book "How Spies Think"? 

David Omand: I started writing this book after seeing how, first of all, the British Brexit referendum and then the 2016 U.S. presidential election were being reflected in social media. And I was getting increasingly cross at the way that I saw this rising tide of half-truths and distortions trying to persuade us online of what we ought to think and want, not to mention some outright falsehoods and deceptions - and not just coming from Russia aimed at widening divisions in society and increasingly setting us at each other's throats. 

Dave Bittner: Well, the book sets up a framework that you all used in British intelligence that you maintain is useful for all of us, as we try to deal with this misinformation quite often. Can you take us through? I mean, how does someone trained the way that you were approach this sort of information? 

David Omand: I've coined an acronym, SEES, S-E-E-S, for the four kinds of output that rational analysis or - can give a decision-maker. And the first S in SEES is situational awareness, facts on the ground. But facts on their own tell you nothing. It's only when you explain them, when you put them in a context, that they actually have meaning for us. And this can be really quite difficult. 

David Omand: This is E in the first E in SEES - the explanation of what you're seeing. I mean, every defense lawyer knows this, but if you've got a good explanation and enough data, then you can estimate how things might evolve. And this is, for the decision-maker, really what they want to know. It's looking ahead. It's saying, on the basis of these assumptions, this is what we expect to see happening next. And this answers questions that start with why or what for? 

David Omand: But whilst you're focused on those first three - situational awareness, explanation and estimation - something totally unexpected is liable to come and hit you on the back of the head. So I round off the acronym, the final S, with strategic notice. That is giving the decision-makers some advance warning of things that might come and disturb them, dangerous developments in the future. Taken altogether, if you have those four outputs, then you can, I think, take good, evidence-based decisions. 

Dave Bittner: What do you hope that people take away from it? What do you hope that someone who reads the book learns from it? 

David Omand: Well, the top-line message would be - be much more aware in this digital era as you use social media. Be aware of what is happening to you. You are being emotionally manipulated. And whether it's for the purposes of commercial purposes, advertising that is targeted at you, whether it's political advertising that's targeted at you, or indeed whether it's hostile interference in your democracy targeted by an adversary country, be aware of that. Not everything you read is true and, I think, that sense of just being more careful. 

David Omand: And that leads inevitably into kind of analysis you need to carry out, kind of thinking, let's call it - just thinking. You just have to be a little more careful how you think in this era. And politicians have to be more responsible about - although they can try and manipulate us emotionally using social media, for example, they shouldn't. They should get back to a much more rational conversation with their voters. 

Dave Bittner: Well, the title of the book is "How Spies Think: Ten Lessons in Intelligence." Sir David Omand, thank you so much for joining us. 

David Omand: It's been a pleasure. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. We have got a new presidential administration coming into Washington. And I wanted to get your take on advice that you would have for an incoming administration from the ICS point of view. What sort of advice would you share? 

Robert M. Lee: Great. So I've been giving advice to those that have asked in the transition team and similar, so I'm happy to share it publicly. There's a couple key things I think are really relevant. And really, I'll start at kind of the strategic level and then dig into some - maybe some more tactical areas. 

Robert M. Lee: So No. 1 - at a strategic level, when you think about cybersecurity, whether it's infrastructure-related or not, one of the core problems we've consistently had is a misunderstanding of roles and responsibilities of the private sector and the government. And the reality is the government's involvement, contributions and, sometimes, just direct funding of efforts in the private sector have been really well met. I mean, there's been a lot of things that they've done that have absolutely helped the community. 

Robert M. Lee: At the same time, when you have success, or maybe you have a big mandate for somebody like Congress, and you try to go satisfy that mandate, you very naturally start running into conflict with the private sector. And fundamentally, I'm a strong advocate that tax-paying entities should not be competing with tax-paid entities. And it's not just on the sort of ethics of that statement. It's actually in the fact that one of the United States' greatest strengths is the ability to have a well-functioning government and a well-functioning private sector. 

Robert M. Lee: Hollywood has done more for diplomacy by teaching kids in Norway English than, you know, an embassy in that location would. The Silicon Valley and Maryland kind of cyber hubs, if you will, of technology and innovation and the things that come out of that far outpace and outperform any innovation that's happened in government. And that's a good thing. We even saw government take great advantage of this with the defense industrial base. We don't build airplanes. We go and talk to Raytheon and Northrop and Boeing. And we partner, and we figure out how to create best-in-class, you know, weapons systems. 

Robert M. Lee: And so in the same way, my probably guiding advice is, No. 1, clarify the roles and responsibilities 'cause there's fights interagency that's confusing. When I get CEOs of power manufacturing companies that ask me, like, who are we supposed to call? Because when the FBI comes in, they say, call me when there's an incident. DHS comes in. Call me for this. DOE comes in. Call me for this. And we have sector-specific agencies. 

Robert M. Lee: And we should very much figure out and stick to roles and responsibilities at the same time, stop telling the private sector that you can do things that you can't. Hey, we'll be your instant response team. You got, like, four people on the team, and you don't even have the legal authorities. Like, stop it. 

Robert M. Lee: And so figuring out how to balance that - or the idea that government's going to be creating technology that competes with the private sector - absolutely ridiculous. So, you know, said simply, if you call the ball, you got the ball. If you say, hey, I'm on it, you got to own it. And the private sector will instantly wash their hands and then go, cool, they've got it. But if you can't scale the mission everywhere, you can't really do what you're calling. And you've got to not do it. Otherwise, you're going to confuse the heck out of folks. 

Robert M. Lee: Sort of digging in beyond that, I would say that cybersecurity can be and should be nonpartisan. And we have seen this to great effect. When I went and testified to the U.S. Senate Energy and Natural Resources Committee in 2018, it was Republican and Democrats at a very decisive time in the United States, right? 2018, 2019, 2020 - definitely very polarized politics. And the committee was great. And you couldn't pick out which ones were Republicans or Democrats on the ways they were asking the questions because everybody cared that we wanted to have secure and reliable electric and gas and water infrastructure. Everyone agreed with that. They might have debated about the how, but we all agreed that this was worth doing and something that had a role for the private sector and a role for government. So keeping that bipartisan or nonpartisan nature of cybersecurity needs to be forefront. 

Robert M. Lee: And we need to make sure that we're playing to our strengths. Those are kind of the two biggest things. I got plenty of practical suggestions I make them. Hey, here's what's going on here. Hey, please don't stand up yet another committee. Don't stand up yet another agency. Like, we have too much stuff. You need to button it up if anything. You know, there's all sorts of tactical things. But at a strategic level, if we make cybersecurity nonpartisan, if we play to our strengths and if we clearly define those strengths and roles and responsibilities, we will be in a much better place nationally. 

Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Discover your own backyard. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't miss this weekend's "Research Saturday" and my conversation with Selena Larson from Dragos on a pair of activity groups they've been tracking who now possess ICS-specific capabilities and tools to cause disruptive events. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.