The CyberWire Daily Podcast 2.16.21
Ep 1270 | 2.16.21

France’s ANSII warns of a longrunning Sandworm campaign. DPRK tried to steal COVID-19 vaccine data. Supermicro is exasperated. Static Kitten phishes in the UAE


Dave Bittner: France finds Sandworm's trail in a software supply chain. Microsoft is impressed by the amount of effort Russian intelligence services put into the SolarWinds campaign. Pyongyang is reported to have attempted to steal COVID-19 vaccine information. Supermicro reiterates objections to Bloomberg's report on alleged hardware supply chain compromises. Static Kitten is fishing in the UAE. Updates on the Florida water utility cyber sabotage. Ben Yelin examines to what degree the FBI can access Signal app messages. Rick Howard gathers the Hash Table to discuss AWS. And a new executive director arrives at our state cybersecurity association.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 16, 2021. 

Dave Bittner: French authorities, specifically the information security agency ANSSI, said yesterday that they determined a Russian threat actor has been active against French targets from 2017 to 2020. ANSSI didn't flatly say which group was responsible, but it did note, according to Reuters, that similar tactics, techniques and procedures had been seen in use by Sandworm, also known as Voodoo Bear, an operation belonging to Russia's GRU military intelligence service. 

Dave Bittner: ANSSI has also made a detailed technical report available. The attackers dropped backdoors as web shells in their targets. 

Dave Bittner: The operation appears to have been another software supply chain attack, with the attackers working their way in through Centreon products used for IT monitoring. ANSSI didn't say how many victims there had been, but the agency indicated that most of them were IT service firms, especially web-hosting providers. The similarity in targeting and approach to the Solorigate campaign in the U.S. is obvious. 

Dave Bittner: Centreon's customer profile is similar to that of SolarWinds. The Paris-based firm lists more than 600 customers worldwide, including local and regional government agencies. There's no informed official conjecture about the goals of the campaign that exploited Centreon yet, but WIRED quotes industry experts as observing that Sandworm has a track record of disruption and destruction and hasn't confined itself to simple data theft. 

Dave Bittner: Centreon hadn't, as of this morning, posted any statement about the incident to its website. WIRED says Centreon emailed it to say that it was too soon to say whether the campaign represented an ongoing threat or whether it had been stopped by the patches and upgrades Centreon regularly issues. 

Dave Bittner: Voodoo Bear - think of them as Fancy Bear's daughter - is known for going after industrial control systems, especially those associated with power generation and distribution. Its most well-known tool is the BlackEnergy malware kit. The threat actor is widely believed to have been responsible for both 2008's distributed denial-of-service attacks against Georgia and 2015's action against a portion of Ukraine's power grid. 

Dave Bittner: To return to Solorigate, the investigation and mop-up of the very large and presumably very damaging cyber-espionage campaign against U.S. targets continues. CBS "60 Minutes" this weekend featured the SolarWinds compromise and highlighted both the scope of the attack and the effort that went into conducting it. 

Dave Bittner: Microsoft president Brad Smith said, quote, "I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen," end quote. He added that Microsoft believed at least a thousand engineers were involved in mounting the attack. How Microsoft arrived at that figure is unclear. And while it's probably better to read a thousand as a lot and not as a rigorously supportable quantification of the human capital Russian intelligence applied to the task, it is, in any case, a lot. 

Dave Bittner: A member of South Korea's parliamentary intelligence committee told Reuters that he'd been briefed on an attempt by North Korean operators to breach Pfizer and steal information on the company's COVID-19 vaccine development. Ha Tae-keung said that the Republic of North Korea's national intelligence service briefed him on the attempted espionage and that the apparent motive was financial. Pyongyang is looking more to its criminal revenue stream, not to public health in the DPRK. 

Dave Bittner: Last week, Bloomberg renewed its reporting on an alleged Chinese hardware backdoor allegedly found on Supermicro products. The report was greeted with more skepticism than such reports usually are, since the earliest versions of the story, published initially in 2018, generally went unconfirmed by organizations that would've been in a position to confirm them. 

Dave Bittner: Supermicro issued a statement about the Bloomberg story, which says in part, quote, "Bloomberg's story is a mishmash of disparate and inaccurate allegations that date back many years. It draws farfetched conclusions that once again don't withstand scrutiny. In fact, the National Security Agency told Bloomberg again last month that it stands by its 2018 comments, and the agency said of Bloomberg's new claims that it cannot confirm that this incident or the subsequent response actions described ever occurred. Despite Bloomberg's allegations about supposed cyber or national security investigations that date back more than 10 years, Supermicro has never been contacted by the U.S. government or by any of our partners or customers about these alleged investigations," end quote. 

Dave Bittner: To round out the Familiar Four of bad-girl nation-states, researchers at security firm Anomali report a Static Kitten sighting. The threat group, believed to be run by Tehran, has been targeting government agencies in the United Arab Emirates, phishing them with the goal of installing ScreenConnect remote access tools in the systems used by its Emirati targets. The phishbait is usually an Israeli-themed geopolitical lure. The emails masquerade as communications from Kuwait's foreign ministry, and the phishhook itself is similar to those used previously in Operation Quicksand. 

Dave Bittner: There's not much new to report about the Oldsmar, Fla., water utility sabotage attempt. Local authorities in Oldsmar have grown increasingly tight-lipped about the attack on the town's water system, with the Pinellas County sheriff discouraging any municipal officials from discussing what is, as they say, an ongoing investigation. Detectives are on the case, they say, and the sheriff wants the public to understand that it was never in any danger. 

Dave Bittner: And finally, if you'll indulge us as we share some local news, we'd like to send our congratulations to Tasha Cornish, who's just been appointed executive director of the Cybersecurity Association of Maryland. Our congratulations to Ms. Cornish and our best wishes to the organization she now leads. 

Dave Bittner: Rick Howard is the CyberWire's chief analyst and also our chief security officer, and he is the host of "CSO Perspectives," a podcast that you can hear on CyberWire Pro. Rick, great to have you back. 

Rick Howard: Thank you, sir. 

Dave Bittner: On this week's "CSO Perspectives," you were wrapping up your two-part miniseries on AWS cloud security, going through a first principle lens. And you brought your experts to the Hash Table this week. What happened? How'd it go for you? 

Rick Howard: Well, Dave, as you know, I love the CyberWire Hash Table. I mean, those discussions help get me out of my own thought bubbles, which I need to do on a regular basis, OK? So thank goodness I have that thing. 

Rick Howard: To that end, I brought in some old friends, Merritt Baer - she's a security architect for AWS and, by the way, wicked smart, way ahead of me in most cases - and Jerry Archer, the Sallie Mae CSO, and a new colleague making his first appearance at the Hash Table, Mark Ryland from the Office of the CISO at AWS. 

Rick Howard: And one thing that is emerging from these discussions is a disagreement in the security community about the need for intrusion kill chain prevention in cloud environment. So Amazon isn't alone here either. Microsoft has the same general idea, too, although they did just announce this week an enhancement to their Office 365 Defender dashboard product that will start tracking APT groups in the future. So that's all positive. 

Dave Bittner: Yeah. I remember - you know, thinking back, one of the first conversations you and I ever had at RSA before you were part of the CyberWire when you were at Palo Alto, we were talking about the intrusion kill chain. And that is a foundational pillar in your first principle strategy. What did these cloud providers disagree with? 

Rick Howard: Well, you know, what I discovered is it's not so much a disagreement about the strategy. It's really a disagreement about what intrusion kill chain prevention is. And it's not just the cloud providers either. There are many security practitioners who are in that same exact boat. So we have a pretty lively discussion about that in this episode. 

Dave Bittner: AWS has been around how long - 20 - 2006, I guess? 

Rick Howard: 2006, yeah. 

Dave Bittner: Wow. And everybody is talking about moving to the - they're either moving to the cloud one form or another. I mean, that is - that's where everybody - it's the place to be today, right? But my question is, like... 

Rick Howard: Right. That's what everybody's thinking about. 

Dave Bittner: Yeah, but is - has anybody actually made it there completely? And these new companies that are spinning up, I mean, can they call themselves to be cloud native? 

Rick Howard: Well, yes, of course. If you're a small startup and you've - say you've come into existence, say, in the last 10 years, there's a really good chance that you have most of your assets in a cloud somewhere. And the CyberWire is a good case study. You know, we have some backups on prem, but we mostly run the operation with SaaS applications and an AWS virtual private cloud - or VPC is how, you know, the new kids call it. 


Rick Howard: Where the air gets more rarefied is in bigger organizations that have been around for a while. And I'm including government organizations in that group, too. If you've spent a lot of resources in the past - and I'm talking money, time and people here - to build your own data centers and networks, your move to the cloud has been noticeably slower. 

Rick Howard: But there are unicorns - right? - and Sallie Mae is one of them. Sallie Mae is a publicly traded consumer banking corporation. And as the CSO, Jerry Archer helped move it almost completely over to AWS. They don't run their own data centers at all, and they have deployed VPCs for every major application. And get this; they don't even use laptops anymore. They run their client - they run thin clients for their employees out of the AWS VPC. So in this episode, we talk to Jerry about how he secures those environments. 

Dave Bittner: Wow. All right, well, I'm looking forward to that. It is "CSO Perspectives." Again, it's part of CyberWire Pro. You can learn about that on our website, 

Dave Bittner: Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host on the "Caveat" podcast, where we discuss privacy and surveillance law and policy. Ben, great to have you back. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: Interesting article from the folks over at Forbes. This was written by Thomas Brewster. And the title of the article is "Can The FBI Hack Into Private Signal Messages On A Locked iPhone? Evidence Indicates Yes." What's going on here, Ben? 

Ben Yelin: So obviously, a lot of users have moved to Signal from other encrypted applications. It's now among the most popular applications for encrypted messaging. And a attorney who works for the Program on Extremism at George Washington University was able to obtain court documents that seemed to show law enforcement gaining access to these encrypted communications, even though the devices used by the criminal suspects were locked. 

Ben Yelin: So this was a couple of gentlemen accused of running a gun trafficking operation in New York. Their encrypted messages included information about this operation. Obviously, as the article notes, they are - they have not entered a plea, so they are innocent until proven guilty. But that's at least what the allegations are. 

Ben Yelin: It is unclear how law enforcement was able to get access to these encrypted communications from Signal. Apple - because these were iPhones - were contacted for their comments on the issue, and they said they would not comment on it, probably for obvious reasons. They don't want to reveal any privacy or security flaws in their own software. 

Dave Bittner: Right. 

Ben Yelin: Signal was contacted, and a spokesperson on behalf of Signal said if somebody is in physical possession of a device and can exploit an unpatched Apple or Google operating system vulnerability, then they can act as the true owner of that device. So their suggestion seems to be make sure that your updates are frequent, that you are downloading all of your patches, that your devices are up to date, and choose a strong lock screen passcode. 

Dave Bittner: Right. Right. 

Ben Yelin: I think those are - you know, that's certainly wise advice for users of the Signal application. I think that doesn't give us a satisfying answer in terms of how law enforcement was able to access this. 

Dave Bittner: Yeah. 

Ben Yelin: We don't know yet particularly what type of - what generation of iPhone was used. So I just think there's a lot we don't know. 

Dave Bittner: Yeah. There's an interesting detail in this article. They refer to something called partial AFU. And AFU stands for after first unlock. And it's an interesting sort of technical thing about an iPhone. So it's a phone that's locked but has been unlocked previously and not turned off. And what's significant about that is that it makes the phone more susceptible to having the data extracted because the phone's encryption keys have been generated, and they're stored in memory. 

Dave Bittner: So you power your phone up. You unlock your phone. The phone does the things that - you unlock the phone. The phone does the things that it does to verify that it's you, does what it does with its encryption keys, and it stores those in memory. So when it's in that state, the supposition is that folks who have software like GrayKey or Cellebrite - you know, the folks who make these what they refer to as lawful intercept tools - they're more likely to be able to access information when the phone is in that state. So there's speculation that perhaps that's what's going on here. 

Ben Yelin: Yeah. And what this article makes clear is that these tools - the GrayKey or Cellebrite tools - are tools we know are used by the FBI. And we know that because we have good journalists who have subpoenaed documents and have figured out that federal law enforcement has been able to get access to these things in the past. So I guess the lesson there for users is frequently turn off your device, you know... 

Dave Bittner: Well, yeah, if you're... 

Ben Yelin: ...When you're not using it, yeah. 

Dave Bittner: Or before you turn it over to law enforcement, power it down, I guess, would be good best practice, right? 

Ben Yelin: Yeah. I hate to say it, but you may not - you know, depending on the circumstances of your device being obtained by law enforcement, you may not have that option. But if you do have that option, that's probably the wise tact to take. 

Dave Bittner: All right. Well, it's an interesting article, for sure. Again, this is over from Forbes, written by Thomas Brewster. It's titled "Can The FBI Hack Into Private Signal Messages On A Locked iPhone? Evidence Indicates Yes." Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Say yes to new adventures. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.