The CyberWire Daily Podcast 2.25.21
Ep 1277 | 2.25.21

PLA spyware keeps Tibetans under surveillance. Cyber conflict between Ukraine and Russia, some conventionally criminal, other state-directed. US Executive Order addresses supply chain resilience.


Dave Bittner: FriarFox is a bad browser extension, and it’s interested in Tibet. Ukraine accuses Russia of a software supply chain compromise. Maybe Moscow hired Gamaredon to do the work. Egregor hoods who escaped recent Franco-Ukrainian sweeps are thought responsible for DDoS against Kiev security agencies over the weekend. A look at Babuk, a new ransomware-as-a-service entry. VMware servers are patched. Verizon’s Chris Novak looks at the 2021 threat landscape. Our guest is Andrew Hammond from the International Spy Museum. And a U.S. executive order on supply chain security.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, February 25, 2021. 

Dave Bittner: Security firm Proofpoint this morning released a study of a Chinese People's Liberation Army threat actor, TA413, that's deployed a malicious Firefox browser extension, FriarFox, in a surveillance campaign directed against Tibetans. TA413 has also used Scanbox and Sepulcher malware in its operations so far this year. The unit's targets include Tibetan groups, both domestic and in the Tibetan diaspora. Proofpoint assesses TA413's toolset as technically limited but quite effective against dissident communities, which, after all, have what Proofpoint aptly calls a low barrier to compromise. The campaign also suggests a shift to more open-source tools on the part of the PLA. 

Dave Bittner: Ukraine's National Security and Defense Council has accused Moscow of compromising a Ukrainian government file-sharing system, the System of Electronic Interaction of Executive Bodies. ZDNet thinks the group responsible is Gamaredon, a group widely regarded as a proxy for Russian intelligence services. Gamaredon has certainly been active against Ukrainian targets in the past, but it’s an odd duck. While often thought of as an advanced persistent threat - that is, a government-run operation - in some respects, it doesn’t really act like a government agency or even a straight-up contractor like Iran’s Mabna group. For one thing, Gamaredon doesn’t restrict its targeting the way a government operation normally would. Nor is it entirely indiscriminate in the way the lower-end cybercriminal gangs tend to be. For all that, Gamaredon is both noisy and aggressive. Research by Cisco’s Talos group suggests that Gamaredon is also a mercenary player in the criminal-to-criminal market. Talos wrote in its recent report on Gamaredon, quote, "We should consider the possibility of this not being an APT at all, rather being a group that provides services for other APTs, while doing its own attacks on other regions," end quote. So a kind of contractor, perhaps, a criminal organization that hires its services out to intelligence services but that also does business with other criminals while its principal state sponsor - by general agreement, Russia - turns a blind eye. So Gamaredon is one of the most active and undeterred actors in the threat landscape. It does the work of an APT, but it uses a cybercriminal style. 

Dave Bittner: It’s worth noting that the operation the NSDC describes seems to be a software supply chain compromise. As NSDC tweeted, "The attack belongs to the so-called supply chain attacks. Methods and means of carrying out this cyberattack allow to connect it with one of Russia's hacker spy groups." This is therefore a different matter entirely from the distributed denial-of-service attacks Ukraine complained of at the beginning of the week. The DDoS attack targeted both the National Security and Defense Council and the SBU security service, BleepingComputer reports. And Ukrainian authorities did claim that the attack had its origins in Russia, in, as they put it, Russian traffic networks. The NSDC describes the DDoS thusly. "Vulnerable government web servers are infected with a virus that covertly makes them part of a botnet used for DDoS attacks on other resources. At the same time, security systems of internet providers identify compromised web servers as a source of attacks and begin to block their work by automatically blacklisting them. Thus, even after the end of the DDoS phase, the attacked websites remain inaccessible to users,” end quote. 

Dave Bittner: But it seems that this denial-of-service harassment was probably the work of the Egregor criminal gang thought to be retaliating for the arrest of three of its members by the Ukrainian participants in a big, bilateral Franco-Ukrainian law enforcement sweep. Alleged members of Egregor, we should, of course, say, allegedly engaged in criminal activity. These particular alleged hoods seem to have belonged to Egregor’s ransomware-as-a-service subgang. French authorities in particular had blood in their eyes because, as France Inter reports, Egregor was allegedly implicated in ransomware attacks against hospitals. So, Paris and Kiev, good hunting. Go get ‘em. They’re allegedly bad guys. 

Dave Bittner: Researchers at McAfee this morning released their study of Babuk ransomware, a new strain detected earlier this year. It’s another entry into the ransomware-as-a-service market, whose operators hawk it in both Russophone and Anglophone criminal-to-criminal markets. It uses the familiar attack vectors common in the ransomware space - phishing emails, of course, but also exploitation of compromised accounts and access gained through unpatched systems with known vulnerabilities. Babuk’s criminal customers seem, so far, to be most interested in hitting victims in the transportation, healthcare, plastics, electronics and agriculture sectors. Their activity has extended to a number of geographical regions, and the malware doesn’t use the sorts of local language checks often employed to keep the operators out of hot water in countries whose legal systems tend to be vigilant and unforgiving. McAfee’s notes on Babuk see an interesting division of labor across its two principal linguistic communities. The operators will use an English-language forum for announcements but a Russian-language forum for affiliate recruitment and ransomware updates. 

Dave Bittner: ZDNet reports that more than 6,700 VMware servers were exposed to a remote code execution vulnerability, now patched. Proof-of-concept exploit code was posted online yesterday, and researchers at Bad Packets report seeing mass sweeps in progress, looking for vulnerable servers. Positive Technologies, which has been working with VMware to address the vulnerability, has published a technical analysis of what’s up and what’s at stake. Patches are available from VMware. 

Dave Bittner: And finally, U.S. President Biden yesterday signed an executive order directing a comprehensive review of the resilience of American supply chains. The order includes - but isn’t limited to - software supply chains. Other areas specifically addressed include biomedical supply chains, an obvious nod in the direction of COVID-19 vaccine development and delivery, and IT hardware. Several Cabinet departments are directed to look at the chains they have a particular responsibility for or interest in, and the tasking runs through most of the departments, from Agriculture to Transportation. The order’s comments about securing the U.S. supply of chips - the semiconducting kind - drew good reviews from a surprising source - Huawei. The Washington Post reports, with some show of surprise, that the Shenzhen tech giant likes what it sees. Huawei’s U.S. CSO Andy Purdy told the Post, quote, “It seemed like Huawei was a distraction while the U.S. wasn't doing enough to address real cybersecurity supply-chain risk and not doing enough to make sure America can build the competitive lead that America has over China and technology innovation,” end quote. So in Shenzhen’s view, disaggregating security from economics is a move in the right direction. There will have to be a number of other steps before the security-based barriers to Huawei’s participation in U.S. markets will fall, but Huawei is hopeful. 

Dave Bittner: If you find yourself in Washington, D.C., you may consider a trip to the International Spy Museum, a place that houses many things that are surely of interest to listeners of this program. I recently caught up with Dr. Andrew Hammond. He's historian and curator at the International Spy Museum. 

Andrew Hammond: I think the way that I would describe it would be an Aladdin's cave of thousands of really cool objects from the world of international espionage and intelligence. And those include things from the real world that were used by agencies like the CIA and MI6 but also stuff from the fictional world. So we have one of James Bond's cars at our entry for you. So for me, it's like an Aladdin's cave of really cool stuff. We've got a bunch of exhibits on a variety of different topics that guide the uninitiated through the world of intelligence and espionage but also give people that are more in the know lots of really good food for thought. So I think that's probably the way that I would approach that. 

Dave Bittner: As the Spy Museum's historian and curator, how do you approach your job? How do you select the things that you're going to bring into the organization to then share their story with the public? 

Andrew Hammond: I mean, for me personally, I just look for a really interesting story behind the artifact. So with espionage and intelligence, some people are more into the tech stuff. Some people are more into the - you know, the gadgets. And for me, I'm more into the story. So there could be a really cool story behind the object. 

Dave Bittner: For our audience of cybersecurity specialists, what do you - are there any artifacts that you have there that you think would be particularly interesting to them? 

Andrew Hammond: Yes, there's one thing that I absolutely love and I get really excited about. And some people think that maybe I have some kind of mental illness because of it. 


Andrew Hammond: And it's a shard from the Aurora test. And I think it was 2007. So why does that matter? So some of your listeners will know this, but the Aurora test - in 2007, they were basically using cyber zeros and ones to affect the physical world. And they essentially just threw an electrical current out of balance until this generator exploded. So we have a piece of metal from that test. So you look at it, and you're thinking, it's a piece of metal. A piece of metal is a piece of metal, is a piece of metal. But it's the story that's behind it. And the whole history of the world, we've been going down a certain path. And I think, with that generator test - I think we've turned a corner. I think we've turned a corner in terms of the cyber world and in terms of moving forward into a new era. So we can even think about things like, say, nuclear weapons or other missile delivery systems. Now, with everything being plugged into the grid, we can use zeros and ones. We can use zero-days to get into some of this stuff and to do stuff that's going to interact and interfere with the physical world. 

Dave Bittner: That's Dr. Andrew Hammond, historian and curator at the International Spy Museum. He's also the host of the International Spy Museum's podcast. It's titled SpyCast. Check it out. 

Dave Bittner: And I am pleased to be joined once again by Chris Novak. He's the global director of Verizon's Threat Research Advisory Center. Chris, it's always great to have you back. You know, it's hard to believe that we're already a couple months into 2021 here. I want to check in with you and see what sort of things are on your horizon for the rest of the year. Any predictions for what we might see? 

Chris Novak: So I wish I could say that I have really positive news. But unfortunately... 


Chris Novak: ...My predictions, if I were to look into my crystal ball, I - unfortunately, I'd say that they're quite negative. And normally, anybody who knows me would tell you that I'm a pretty optimistic kind of guy. But I think when it comes to this, I look at, you know - for example, you look at the typical time it takes to discover the fact that a breach has occurred. And most often, we see that it's, you know, eight months or sometimes more. And, you know, through no fault of anybody, I think the reality of it is we've all been highly distracted by what's been going on with the pandemic and for good reason, right? Life and safety typically takes priority for everybody. But the challenge I see is if you look at the fact that most breaches take eight months or more to discover, look at where we are. And it's actually kind of interesting, the timing of this conversation that you and I are having. Because had we had this conversation just before some of the recent big breaches that are now just starting to make the news, my prediction - man, I should have played the lottery on what I'm saying here because it's all coming true starting now, right? And honestly, I think that's going to unfortunately continue because so much of what happened during COVID is only now being discovered. 

Dave Bittner: Yeah, that's a really interesting aspect - is that lead time, you know, before discovery or revelation of things that - where, you know, bad guys could've been taking advantage of all of the chaos that happened in the COVID transitions. I'm wondering, though - I mean, is there the reality that we'll be sort of settling in through 2021, that we've - you know, organizations will have their new normal? They're going to be able to spend more - they're not so much in a sort of a frantic transitional mode. They're saying, OK, this is the way it's going to be for a little while. Let's get our house in order. Let's settle in and, you know, sort of secure things, knowing that this is how we're going to be operating here for the - at least for the short term. 

Chris Novak: Yeah, and I think there's something to be said for that because I think you're right, that 2021, I think, will - whatever the new normal will be, I think we will be settling into it, right? People will be starting to go back to offices in some way, shape or form. And I think the biggest challenge we faced with 2020 and the pandemic was there was so much change, and it happened so incredibly fast. And, you know, people don't like change. A lot of people want to be able to say, look. I know what I'm doing today, this afternoon, tomorrow. People generally like to have a plan and like predictability. And I think that was something that we really just didn't have for most of 2020 that made it very difficult. I think some of the predictability will start to come back with 2021. I'm not saying that we'll be like we were pre-COVID. I think there's going to be a lot of things different about how we operate for the next several years, but I think predictability will start to come back in a new way. But I think the challenge that will still exist on the cybersecurity front, unfortunately, I think is that so much - I mean, think about it. If you were to look at the normal breach landscape and say that it's typically - events are discovered about eight months after they've started, that's in a pre-COVID time period when our SOC was all in the building, sharing information, looking at the big, giant screens, and everyone was plugged in 24/7 to what everybody else was doing. For a good chunk of 2020, we were far from operating in ideal conditions, right? Many people were trying to figure out how to move their gear to home, how to connect to the different systems or tools, how to do their conference calls with their dogs barking in the background... 

Dave Bittner: (Laughter). 

Chris Novak: ...You know, whatever it is, right? And there's lots of distractions. Kids are learning at home and tugging on their parents while their parents are probably trying to watch their SOC screens to try and figure out if something's going on in the environment. So I think if you even just assume that that adds somewhat of an additional delay to our detection period, that means we're probably not looking at average detection of eight months. We're probably looking at average detection of nine to 10 months, right? So if you think of where we are with, you know, COVID really kind of hitting in March for a lot of, you know, the world, you know, we're really just kind of getting into the beginning of what would have been ideal detection. But I think, to your point, I hope we'll be settling in and be in a better position to do the incident response and actually tackling the problems in 2021. 

Dave Bittner: Well, there's always 2022. Right, Chris? 


Dave Bittner: We can be optimistic towards that, right? 

Chris Novak: I'll tell you I really want to. That's for sure. I'm hoping 2021. But yeah, the data makes me question it. 

Dave Bittner: All right, fair enough. Well, Chris Novak, thanks for joining us. 

Chris Novak: You bet, Dave. Take care. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. But great taste speaks for itself. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.