The CyberWire Daily Podcast 1.19.21
Ep 1251 | 1.19.21

EMA emails altered before release in apparent disinformation effort. Vishing rising. Another backdoor found in SolarWinds supply chain campaign. An arrest and a stolen laptop.


Dave Bittner: The European Medicines Agency says stolen emails about vaccine development were altered before being dumped online. Another back door is found associated with the SolarWinds supply chain campaign. DNS cache poisoning vulnerabilities are described. The FBI renews warnings about vishing. Iran's Enemies of the People disinformation campaign. Rick Howard previews his Hash Table discussion on Solarigate. Verizon's Chris Novak looks at cyber-espionage. And the FBI makes an arrest in connection with a laptop taken during the Capitol Hill riot.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 19, 2021. 

Dave Bittner: The threat actors who stole COVID-19 vaccine documents appear to have altered them before releasing them online, the European Medicines Agency says. The material stolen, EMA says, included internal confidential email correspondence dating from November relating to evaluation processes for COVID-19 vaccines. Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines. 

Dave Bittner: Emails about the vaccine development process were altered to give the appearance that this process was less credible than it might otherwise have been believed to be. And EMA stands by the effectiveness and credibility of its reviews. The corrupted, altered data thus appeared to have been emails about vaccine development and not data collected in the course of that development or during evaluation of vaccines. 

Dave Bittner: Symantec reports another discovery in the Solarigate threat actors' armamentarium - Raindrop, a back door used to drop Cobalt Strike. 

Dave Bittner: Raindrop bears some similarities to Teardrop, malware earlier identified as having been delivered by the Sunburst back door. Both load Cobalt Strike Beacon, but Raindrop uses a custom packer for Cobalt Strike. Raindrop also appears to be used to propagate across networks and may have been used selectively against high-interest targets. 

Dave Bittner: Various sources are warning against seven vulnerabilities in the widely used DNS forwarding client for Unix-based operating systems, Dnsmasq. Vulnerable systems could be susceptible to DNS cache poisoning. The seven vulnerabilities are being collectively tracked as Dnsspooq. JSOF has a page up devoted to Dnsspooq, and users of affected systems are advised to apply patches as they become available. 

Dave Bittner: On Friday, the US FBI renewed and updated a December warning about an Iranian campaign, Enemies of the People, intended to exacerbate US domestic mistrust and division by, quote, "threatening the lives of U.S. federal, state and private sector officials using direct email and text messaging," end quote. The operation also involves menacing doxxing. 

Dave Bittner: The bureau's warning says, quote, "the Iranian cyber actors have sought to intimidate some of the officials with direct threats, including an image of an apparent text communication between the EOTP actors and an unidentified individual in the United States purportedly supporting the operation. Individuals in the United States intent on disrupting the peaceful transition of power potentially may be inspired by and act upon these influence efforts to harass, harm, threaten or attack individuals specifically identified," end quote. 

Dave Bittner: Enemies of the People represents an extreme form of this tendency and influence operations. CyberScoop reports seeing a US intelligence assessment that claims Russian and Chinese services are using the Capitol Hill riot as an occasion for propaganda and disinformation. Those two nations' styles have been consistent with that on display in past campaigns. Russian disinformation has been negative and disruptive, concentrating on producing red-meat conspiracy theories about the Capitol Hill riot. 

Dave Bittner: Chinese disinformation has been characteristically positive - that is, not positive in the sense of happy or optimistic but positive in the sense of persuading its international audience of a particular position - more accurately, two positions. First, the United States is a power in decline. And second, this is what happens when you tolerate democratic demonstrations. You get anarchy, which is why, in Beijing's line, it's a good thing they cracked down on Hong Kong. 

Dave Bittner: At the end of last week, the FBI also issued a Private Industry Notification warning of increased rates of vishing aimed at theft of corporate remote access credentials with a view to furthering privilege escalation. A common gambit is an invitation to log into a bogus VPN page. BleepingComputer observes that this is the second such alert the FBI has issued since the onset of the pandemic. 

Dave Bittner: The FBI sees this particular warning as calling out a new style of criminal activity. Quote, "cybercriminals are trying to obtain all employees' credentials, not just individuals who would likely have more access based on their corporate position," the alert says. Once they have some initial access, even relatively lowly access, it's then the criminals' task to work their way into other, more sensitive precincts of the organization's network. 

Dave Bittner: And finally, the FBI is investigating whether a Pennsylvania woman, identified as Riley June Williams, stole a laptop or a hard drive from US Speaker Nancy Pelosi's office during the Capitol Hill riots with the intent of selling it to Russian intelligence services. The Washington Post says the suspect has now turned herself in and been arrested. 

Dave Bittner: POLITICO, which broke the story over the weekend, calls the charges bizarre, by which they mean startling and not inherently implausible. The FBI says it was tipped off by a source identified only as a former romantic partner of the suspect. The ex-boyfriend, as The New York Times describes the tipster, said that Ms. Williams intended to sell the computer device to a friend in Russia, who then planned to sell the device to SVR, Russia's foreign intelligence service. 

Dave Bittner: The transfer of the device to the Russian middleman seems to have fallen through for unclear reasons, if indeed there was any actual plan to do so. And Ms. Williams is believed to have retained the laptop in her possession. 

Dave Bittner: The investigation is continuing. The laptop Speaker Pelosi's staff reported stolen is said to have been used only for presentations, but it's unclear what, if anything, Ms. Williams may have taken and what, if anything, she hoped to turn over to the SVR. 

Dave Bittner: And joining me once again is the CyberWire's chief analyst and chief security officer, Rick Howard. Rick, welcome back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So last week, you analyzed the SolarStorm campaign, and you did it through a first-principle lens. And you concluded that the best strategy that could've helped there was a robust, zero-trust deployment. Now, I know you've invited some of our subject matter experts to the CyberWire Hash Table this week to discuss that idea. Did they come up with any practical advice? 

Rick Howard: Indeed they did. I talked to both Gary McAlum, the USAA chief security officer, and Don Welch, the Penn State University CIO. They said that the two most practical things infosec teams could do to defend against this kind of supply-chain attack is, one, a human process of two-person control and, two, a combination of human process and security automation called privileged access management. And for the two-person control, I want you to think about our old hacker movie, Dave - our favorite one, "WarGames." I know we both love it. 

Dave Bittner: Yes. Yes. Yes, indeed. 

Rick Howard: Right. So do you remember the opening scene where the two Air Force officers go down into the nuclear missile silo? And because of, you know, reasons, they are told to launch the missiles. 

Dave Bittner: Right. 

Rick Howard: Well, as audience members, we learn that you can't do that destructive act unless two people - in this case, U.S. Air Force officers - turn the launch keys at the same time. And that is what Gary and Don are recommending. For critical operations - let's say, I don't know, issuing new authentication tokens to your cloud environment, just to name one - maybe it shouldn't be possible to make changes like that unless two people authorize the change. 

Rick Howard: And then for privileged access management, we did two entire episodes of identity management back in Season 2 of the "CSO Perspectives" podcast. But it's basically policy and automation control actions for critical or privileged systems. In fact, Don prefers that solution over the two-person control because it's less costly in terms of people resources. Here's Don. 

Don Welch: Things like privileged access management with monitoring of everything that is done, you know, in those system administrations so that you can go back and find out that something has gone wrong and hopefully catch it, you know, before too much damage is done - not as good, but once again, it's a lot less expensive to implement a solution like that than it is that two-person control. 

Dave Bittner: Wow, interesting stuff for sure. So if folks want to check out the Hash Table discussion, it is "CSO Perspectives." That is part of CyberWire Pro. You can find out all about it on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Chris Novak. He is the global director of Verizon's Threat Research Advisory Center. Chris, always great to have you back. We want to talk today about the report that you all recently published. This is Verizon's Cyber-Espionage Report. Take us through. First, what prompted the creation of the report? 

Chris Novak: Yeah, thanks. Thanks, Dave. Always a pleasure to be here. And it's our first time ever putting together a report specifically on cyber-espionage. For, I mean, over 10 years now, we've put together our Data Breach Investigations Report, which really kind of focused on the entire threat landscape. And lately, we've been seeing an incredible amount of interest in diving more deeply into, what does the cyber-espionage world look like? And honestly, I think it's probably even more kind of profoundly topical these days with what seems to be going on in the news. And so we've really just decided, hey, let's take that plunge and dive specifically into that topic. So we kind of created this separate report just to look at that avenue. 

Dave Bittner: Well, take us through. What are some of the highlights, the key things that you all bring to - into focus here? 

Chris Novak: Sure. I mean, I'd say that probably the biggest things - and, you know, maybe for most people not a surprise - but, you know, when we carve out the data and look at cyber-espionage breaches, they typically take much longer to discover, which, again, I don't think is a surprise - typically on the order of months to years. Containment - typically, if you're lucky, maybe days. But typically, that's also ranging out to, you know, months. And, you know, that's - you know, when you look at the entire macro landscape, that's substantially longer than what you'd see in other kinds of breaches. 

Chris Novak: The other thing I'd also say is that a lot of them would be something that I would classify as being kind of underreported. You know, typically, these threat actors are after a different kind of data. So most of what we see in the broader landscape is typically financially motivated. They're going after, you know, PII, PCI, stuff like that that they can easily sell. 

Chris Novak: But the cyber-espionage landscape is quite different in that it's typically looking for trade secrets, intellectual property, more of what you would think of in a traditional espionage kind of sense. And it's not necessarily data that someone's going to steal and sell. But typically, it's something that someone is going to steal and use for their own gain. And in many cases, since it's not something like PCI or PII or something like that, there's typically also not the same kind of regulatory duties to notify. So we actually believe a lot of that is highly underreported. 

Dave Bittner: Yeah. How does an organization judge or calibrate if - the amount of relevance that this report has to them? 

Chris Novak: Yeah. And I think, honestly, you have to look at your threat model, right? You have to look and see what is it that you are most concerned about. What kind of business are you in? And I think everybody kind of has a little bit of everything going on. 

Chris Novak: But typically, you know, if you're looking at certain kinds of industries, like education, financial services, information management, manufacturing, mining and utilities, professional services and public sector, those are the industries that we see most heavily hit by cyber-espionage kinds of attacks. So if you're in one of those areas, then it's definitely something you've got to be figuring into your threat model. 

Chris Novak: And I think, honestly, a lot of organizations in those industries have probably not put as much effort into it, partially because it is probably one of the hardest things, right? You're trying to defend against an adversary that is extraordinarily persistent. And they typically want in to a specific target because of something only that target has, right? 

Chris Novak: If you compare and contrast that with what we typically see in financially motivated breaches - you think of financially motivated breaches, the threat actor, they don't care who they're stealing the funds or the data from as long as it is something that they can monetize. If they can't get into Victim A, they're happy to try Victim B, C, D and so on. But when you look at espionage, that's generally very different because I want in to Target A or Target B because of the very specific data that maybe they and only they actually have. 

Dave Bittner: How important is it for organizations to share information, to collaborate here, to help spread the word about these sorts of efforts? 

Chris Novak: I think it's critically important. It's interesting that you mention that because one of the things that people are always asking me is, you know, what is it that they can be doing? And, you know, one of the things that I always say as it relates to espionage is because they're typically lower and slower kinds of attacks, they're typically more sophisticated or almost artistic or creative in some ways in that the way that they actually go about their attacks are maybe a bit more nuanced than kind of your plain-Jane, vanilla kind of cyberattacks, sharing the information is even more critical, right? 

Chris Novak: And so typically, I'm talking to more and more organizations to understand what is it that they're doing from a threat intelligence perspective. How is it that they are either getting information from others that may be relevant to them and when they see something, how are they sharing it with others in the community? Because, you know, I can't stress enough how important it is. 

Chris Novak: It's almost like your neighborhood watch in where you live, right? It's important that if the neighbors see something suspicious, you're sharing it with the other neighbors, right? You all kind of go out there, and you try to protect the entire neighborhood. If you're just in it for yourself, then maybe you'll be safe. But at the same time, you also don't know then what others may be aware of that they're not sharing with you, right? So how do we protect everybody in an industry or a community at large against these kind of threat actors? 

Dave Bittner: Yeah. All right. Well, it's the cyber-espionage report from Verizon. Chris Novak, thanks for joining us. 

Chris Novak: Always a pleasure, Dave. Thanks. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Bring out your best. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.