The CyberWire Daily Podcast 2.19.21
Ep 1273 | 2.19.21

Mopping up Solorigate. Tehran’s Lightning and Thunder in Amsterdam. The view from Talinn. Malware designed for Apple’s new chips. Lessons from the ice, and how hackers broke bad.


Dave Bittner: Microsoft wraps up its internal investigation of Solorigate, which the U.S. government continues to grapple with and which has had some effect on Norway. An apparent Iranian APT has been hosting its command and control in two Netherlands data centers. Estonia's annual intelligence report describes Russian and Chinese ambitions in cyberspace. Threat actors are hard at work against Apple's new processors. Kevin Magee on the Canadian National Cyber Threat Assessment for 2020. Our guest is Mark Testoni from SAP National Security Services on the Biden administration's first 100 days. Plus, lessons from the ice, and how hackers became cybercriminals.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 19, 2021.

Dave Bittner: Microsoft published what it calls its "final update" on Redmond's internal investigation of Solorigate yesterday. They found no evidence that threat actors gained access to either production servers or customer data and concluded that Microsoft systems were not used to attack third parties. They did find signs that the intruders were able to inspect a few code repositories for Azure cloud identity and security programs, for Exchange and for Intune mobile management. Microsoft takes away from Solorigate a renewed commitment to zero trust.

Dave Bittner: For its part, the US government continues to mop up what's been, by all accounts, an effective and quite damaging cyberespionage campaign. Anne Neuberger, US deputy national security adviser for cybersecurity and emerging technology, has been careful to set expectations. The US government is still in the relatively early stages of coming to grips with the incident. The Federal News Network quotes her as saying, quote, "if you can't see a network, you can't defend a network, and federal networks' cybersecurity need investment and more of an integrated approach to detect and block such threats," end quote. So there's a slog ahead, but Neuberger thinks the end result will be better security. Agencies will build back better with more modern, more resistant systems.

Dave Bittner: Compromised versions of the SolarWinds Orion have also affected other organizations outside the US. Norway's Sovereign Wealth Fund has disclosed that it downloaded and installed a compromised version of Orion last July. They realized what they'd gotten into this past December 13 and since then have taken steps to fix the problem, the media outlet DN reports.

Dave Bittner: The Netherlands Times reports that an investigation by Bitdefender, in cooperation with the radio news outlet Argos, has uncovered a large cyberespionage operation, apparently Iranian in origin, that's managed to establish its infrastructure in two Amsterdam data centers. The basic malware, Foudre - that's lightning in French - was identified in 2016 and has been active for about a decade. It's added new command and control capabilities, as well as a new component, Tonnerre - thunder - a second-stage payload used for persistence, surveillance and data exfiltration.

Dave Bittner: Bitdefender writes that Tonnerre could allow attackers to take screenshots, collect recent files and documents with specific extensions and even record audio using the system's microphone before uploading that data to the attacker-controlled C&C. The operation appears to target devices in the Netherlands, Germany, Sweden and India.

Dave Bittner: Estonia, which lives in a relatively rough neighborhood - next door to Russia - which has received more than its share of Russian attention in cyberspace and which for some years has plunged far above its weight in the fifth domain, this week published its annual intelligence report, "International Security and Estonia." The report concentrates on Russian activities and the interests and pressures likely to shape Moscow's operations. It also includes a coda on the other big cyber power a bit farther to the east, China.

Dave Bittner: Different readers are struck by different aspects of the report. The Times of Israel fastens on the prospect of Russian information operators using the stress of the COVID-19 pandemic to divide Western allies. Euractiv, for its part, is struck by what the report has to say about Russian capabilities to deploy deepfakes in the service of influence operations and disinformation.

Dave Bittner: Security firm ESET reports that threat actors have begun to work on Apple's new M1 Macs, the ones equipped with Apple's in-house chips. The M1 processors run on ARM architecture, a departure from Cupertino's former preference for Intel x86 chips.

Dave Bittner: In the Objective-See blog, researcher Patrick Wardle summarizes his own analysis as follows, quote, "So we've succeeded in finding a macOS program containing native M1 ARM64 code that is detected as malicious. This confirms malware/adware authors are indeed working to ensure their malicious creations are natively compatible with Apple's latest hardware," end quote.

Dave Bittner: Researchers at Red Canary, earlier this month, noticed some macOS malware that established persistence through LaunchAgent. They write, quote, "our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we've come to expect from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution - something we hadn't previously encountered in other macOS malware - and the emergence of a related binary compiled for Apple's new M1 ARM64 architecture."

Dave Bittner: Red Canary calls the activity cluster Silver Sparrow and says that, for now at least, it lacks a payload. They acknowledge work done on the malware by VMware Carbon Black and Malwarebytes.

Dave Bittner: The Texas winter storms aren't, of course, a cyber incident, but they may hold lessons for business continuity and recovery planning against the possibility of cyberattacks on power grids. In this case, according to The Wall Street Journal, a number of data centers have done fine, but the storm's been harder on humans than machines.

Dave Bittner: And finally, Avast takes a look at the history of hacking and sees a progression - or, more properly, a regression - from fun to felony, from lulz to looting. The history they see suggests that people once broke into systems as a chest-thumping way of showing off their skills, a bunch of bravos out counting coup and not interested in much more than the glory and, of course, in outshining the other bravos, not to mention the jocks who used to steal their lunch and stuff them into lockers.

Dave Bittner: Then the hackers discovered that there was money to be made and were on the slippery slope into the criminal underworld. Hackers became cybercriminals.

Dave Bittner: So Avast's bloggers have a point, although one can't help recalling that infamous hacker, Captain Crunch, the OG phone phreak, was also interested in making free long-distance calls on Ma Bell's dime. As they would have said in San Fernando Valley, dude. So we doubt that hacking ever had a prelapsarian past. The serpent was whispering possibilities in cyber Eden before most of us knew it was even a thing.

Dave Bittner: When a new president takes office, it's become standard practice to announce a list of policy goals and aspirations for the first 100 days of their administration. And President Biden is no exception. There's symbolism there signaling priorities. Mark Testoni is CEO of SAP National Security Services, and he joins me to discuss what cybersecurity issues should make the cut for being on that first 100 days list.

Mark Testoni: In a lot of ways, where what we've seen in the last few years is there's been kind of an increased awareness of threats in this area, at least at an aggregate scale from - on the threat of China and supply chain. To some degree, because of what happened in the 2016 election, there is greater awareness of cyber in general. So that's all goodness. I think we often - and the expansion and growth of the CISA and the work that was done under the director, Christopher Krebs, I think, was noteworthy in the last few years. But the reality is - is we're coming off of a breach of a new calculus and consequence with SolarWinds. And we've also - we're looking at cyber - I think the vectors of cyber are beyond the concept breaches, which we've all been hearing and dealing with. But the nuance around it as well is kind of the information that we hear and process and how that's implicated by cyber and, you know, the authenticity of things. So the debate's around that and how do we clean it up.

Mark Testoni: So beyond just being, like, this, you know - somebody is going to get in and steal my information kind of aspect or get into my systems aspect of cyber, we've also really amplified this whole disinformation part of it and that vector. So it's a much more complicated problem on the one hand. And I think, unfortunately, we are still in a place where we kind of look at cyber as the government has a set of programs, and then the private sector's trying to do certain things. And all - there's been some collaboration. I think we've got an opportunity for collaboration that needs to be exploited there. This is not a problem that's going to be solved by one or two sets of parties. It's kind of a - there needs to be a national focus and attention on this.

Dave Bittner: But it seems to me like this is one of a handful of things where there really is true, sincere, good faith, bipartisan support. There's recognition that this is a problem that everyone needs to address together. Do you agree with that assessment?

Mark Testoni: I agree. I mean, there was a - we've had several - Congress has looked at this. It's passed legislation. It's had bipartisan support going back a number of years. We've seen over multiple administrations the expansion of Homeland Security's role. There was a bipartisan Cyberspace Solarium Commission that laid out a plan that talked about establishing a national cyber director and developing a national cyber strategy. So all these things speak to exactly what you said. We got to get on with executing against it, which is probably a combination of things. And we really do need to develop a strategy. So I think our heart's in the right place. I would agree with you. I think most people agree with us.

Mark Testoni: And we also need to understand it's not a static problem. This is going to be something that's with us forever at a level. It's always going to be a threat, much like security has been since the beginning of man. We need to recognize it as such, and we need to engineer it more upfront rather than behind as we approach the new world. And when I start looking at things like 5G and how that's going to change our lives and world, it's going to be an opportunity for this, but it's also going to be critically important if we're going to really leverage 5G.

Dave Bittner: It's funny. I remember, you know, growing up in the '70s and seeing the TV commercials saying, don't be a litterbug. And (laughter)...

Mark Testoni: You remember those. It's fascinating. And I think we all remember the picture of the Native American in the canoe.

Dave Bittner: Right. Right. Yep. And the one by the side of the road with the tear rolling down his face at the...

Mark Testoni: Yep.

Dave Bittner: The litter. Yep. Yep. It's iconic.

Mark Testoni: This is what we need, Dave, in my mind. That's the kind of impact. If our kids, your grandkid or son and my grandchild, are doing a...

Dave Bittner: Yeah.

Mark Testoni: ...Podcast in 40 years and they're remembering things that we were able to do during this time, I think it would be critically important.

Dave Bittner: What do you think about this notion of having something like the NTSB, you know, where major breaches are automatically evaluated, investigated?

Mark Testoni: You know, I think we do need to do that, but we've got to create an environment for it that allows for collaboration. You know, the FAA and the air mainline plane manufacturer and the airlines have built really a sense - and including on an international level - have built a sense of trust up that they can do this - right? We haven't built that framework yet, so I think that could be an outcome. We can't - you know, one of the concerns I have is turning this into something that feels punitive to any of the players. I'm not saying that it ultimately doesn't end up in punishment if there weren't negligence. But right now, what we have a tendency to see - and being someone that works with the government as well is like, requirements will come down and, you know, basically they'll be directed upon. I'm not saying that that isn't part of the calculus, but we need to create a collaborative environment to solve these problems, and we need to learn from them.

Mark Testoni: And we also need to understand the nature of breaches has changed. The SolarWinds one was an attack on our software supply chain. And the implications of that are much greater than - not that it isn't the disclosure of PII and things that have happened historically in these breaches is important. But this has ramifications in our infrastructure that are far broader and will be much more important in a 5G world, where we'll redistribute the internet again. So a long answer to a short question, but I think that we want to make sure we don't create the law of unintended consequences by creating apparatus without really having a strategy behind it, if that makes sense.

Dave Bittner: That's Mark Testoni from SAP National Security Services. There is a lot more to our interview. Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro. It's on our website,

Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He's the chief security and compliance officer at Microsoft Canada. Kevin, it's always great to have you back. I want to touch base with you on the recently published Canadian National Cyber Threat Assessment for 2020. There's some interesting things that folks up your way have published. What sort of things caught your eye?

Kevin Magee: So the report is the second that they've published. And it's the Canadian Centre for Cyber Security, which is Canada's authority on cybersecurity, part of the communications security establishment we call the CSC, which would be sort of the equivalent or cousin of your NSA. And the head of the organization, Scott Jones, really challenged his organization to make bold predictions and really, you know, focus on unseen trends farther out. So it was interesting to read the 2018 report again and see what they got right and what they got wrong and then reread the 2020 report.

Kevin Magee: And I like reading reports like this because often in our industry, we read very technical reports with very technical analysis. And this report in particular is very focused on the threats to the citizens of Canada and how we look at the attack vectors and how we looked at the challenges from their lens rather than from the technologist lens. And I think that that diversity of opinion and challenging of my premises is really why I enjoy reports like this.

Dave Bittner: And so what were some of the highlights for you?

Kevin Magee: So one of the things that really immediately jumped out at me is I'd kind of written off cryptojacking as a attack vector. And maybe that was because of the drop in Bitcoin. We're not seeing it being - you know, as often popping up in our day to day, whereas two, three years ago, I would have really thought that cryptojacking might have taken over the whole ransomware market, and we would have been done with ransomware. And we're seeing as the rise in prices are increasing that that's becoming a new attack vectors again. So, again, challenging my premises, seeing what's happening from another threat factor, makes me as a chief security officer then think, OK, I now have to invest some time in looking at this and seeing how it's affecting my organization and my customers as well.

Dave Bittner: And how does this compare to things that are tracking, you know, other places around the globe? Are there some specifically regional things? Or as things happen in Canada, so they do, you know, globally.

Kevin Magee: I think it's interesting that, you know, we are really becoming a global market for all things, including cybercrime. And cybercrime is really top of the list. It's the No. 1 threat vector to Canadians as well as in most organizations. That's what I'm reading around the globe as well. So I think it's different sectors maybe are under attack in Canada than other countries. But the trends are very much the same. And I guess it's because cybercriminals don't really look at geography or zip codes. They look at IP addresses. And that's really made a level playing field for smaller countries to come under attack.

Kevin Magee: And I think there's a message in there, a lesson to be learned, is that just because you're - you know, you live in a smaller country that may not - you know, you may not think you're going to be attacked or you're going to be a victim of some of these crimes because you're obscure. That's not the case anymore. And we're seeing, really, the trends that are tracking in Canada very, very similar to those tracking around the world.

Dave Bittner: All right. Well, the report is the Canadian National Cyber Threat Assessment. Kevin Magee, thanks for joining us.

Kevin Magee: Thanks, Dave.

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Give your body the comfort it deserves. Listen for us on your Alexa smart speaker, too.

Dave Bittner: As you're enjoying your weekend, don't forget to take a few minutes and check out "Research Saturday" and my conversation with Bojan Zdrnja. He's a senior information security consultant at INFIGO, also a member of the SANS Institute. We're discussing his research on using Chrome extension syncing to exfiltrate data. That's "Research Saturday." Check it out.

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.