The CyberWire Daily Podcast 3.1.21
Ep 1279 | 3.1.21

“RedEcho’s”activity in India’s power grid is described. US report on Khashoggi murder declassified SolarWinds compromise inquiry updates. Ill-intentioned SEO. President’s Cup winner announced.


Dave Bittner: Reports of Chinese cyber engagement with Indian critical infrastructure. The U.S. government declassifies its report on the murder of Saudi journalist Jamal Khashoggi. The SolarWinds supply chain compromise remains under investigation, with an intern making a special appearance. Malign search engine optimizations. Rick Howard shares Hash Table opinions on Google Cloud. Josh Ray from Accenture on cybercrime and the cloud. And congratulations to the winners of CISA's President's Cup.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 1, 2021. 

Dave Bittner: Threat intelligence firm Recorded Future's Insikt Group reports that an apparent Chinese cybersabotage group they're tracking as "RedEcho" has been active against India's infrastructure. RedEcho is a new name because despite some apparent links to other Chinese APTs, identification remains unclear. The group may have been staging potential attacks with a view to holding India's electrical power grid at risk. 

Dave Bittner: Recorded Future puts it this way - quote, "potential pre-positioning of network access to support Chinese strategic objectives," with some attendant speculation about signaling, support of influence operations or "as a precursor to kinetic escalation." 

Dave Bittner: They go on to say, quote, "Since early 2020, Recorded Future's Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future's midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control servers to target a large swath of India's power sector. Ten distinct Indian power sector organizations, including four of the five Regional Load Despatch Centres responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India's critical infrastructure. Other targets identified included two Indian seaports," end quote. 

Dave Bittner: Recorded Future does say it expects further such activity as long as Sino Indian tensions remain high. But it's worth noting that Recorded Future's conclusions are more tentative than those reached by the New York Times and various media outlets in India, and the report should be received in the spirit of relative circumspection in which the researchers seem to have offered it. 

Dave Bittner: That cybersabotage of a power grid would have great potential for disruption is clear. As Control Global points out, one need look no further than the consequences of the Texas ice storms last month to see the possibilities. 

Dave Bittner: Whatever happened in India, the incident would seem to point out the difficulties in deterrence and signaling in cyberspace. If indeed the staging represents an attempt on Beijing's part to signal to India that its power grid is at risk, for example, that signaling would seem to have come at the cost of blowing the means of access to that grid. 

Dave Bittner: The US government late Friday released a long-anticipated intelligence report on the murder of Saudi journalist Jamal Khashoggi, declassified by the director of national intelligence. The report's executive summary is direct and succinct. 

Dave Bittner: Quote, "we assess that Saudi Arabia's Crown Prince Mohammed bin Salman approved an operation in Istanbul, Turkey, to capture or kill Saudi journalist Jamal Khashoggi. We base this assessment on the crown prince's control of decision-making in the kingdom, the direct involvement of a key adviser and members of Mohammed bin Salman's protective detail in the operation and the crown prince's support for using violent measures to silence dissidents abroad, including Khashoggi. Since 2017, the crown prince has had absolute control of the kingdom's security and intelligence organizations, making it highly unlikely that Saudi officials would have carried out an operation of this nature without the crown prince's authorization," end quote. 

Dave Bittner: As one would expect, the report frames its conclusions largely in terms of a priori probability and takes care not to reveal intelligence sources and methods. But it was widely believed at the time that U.S. intelligence services had collected signals and cyber intelligence that pointed to the direct involvement of Saudi intelligence services in the murder. 

Dave Bittner: The Washington Post reports that the Biden administration will not impose direct sanctions on the Saudi crown prince. Secretary of State Antony Blinken said at a news conference that, quote, "the relationship with Saudi Arabia is bigger than any one individual," end quote, and that appears to be the way the administration stands with the crown prince, at least even as it discusses a recalibration - that's recalibration, not, as the State Department stresses, a rupture - of relations with the Kingdom of Saudi Arabia. 

Dave Bittner: According to Politico, the State Department did impose more than 70 visa restrictions on other persons involved in the killing, and the Treasury Department announced sanctions against the former deputy head of Saudi intelligence services and on members of the group deemed responsible for Khashoggi's murder. 

Dave Bittner: The White House is facing some pressure from congressional Democrats in particular, the Washington Post reports, to take more direct action against Crown Prince Mohammed bin Salman. 

Dave Bittner: The effects of the SolarWinds supply chain compromise continue to spread through US government agencies. WIRED writes that the metaphorical "body count" now includes NASA and the FAA. 

Dave Bittner: So how did all this happen in the first place? Investigation continues, and current and former SolarWinds executives are blaming an intern for setting up the now-famous bad password solarwinds123, which CNN reports was out loose on the internet for several years before it was detected. Sure, it's a bad password, but that finding a password would have been sufficient to give the sort of access necessary to the whole shebang of a major supply chain compromise seems surprising. Still, bad password and apparently some weak supervision of that intern. 

Dave Bittner: Sophos describes the Gootloader infection framework, which is not only expanding its payloads, but using a novel approach to search engine optimization to bring its criminal bait to the attention of potential victims. The payloads currently being served up by Gootloader include the Gootkit banking Trojan, Kronos, Cobalt Strike and REvil ransomware. 

Dave Bittner: And finally, late Friday, the US Cybersecurity and Infrastructure Security Agency announced the winner of its President's Cup Cybersecurity Competition. Congratulations to the Cyberspace Capability Engineers from the 780th Military Intelligence Brigade, who took this year's honors. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. But more important than any of that, he is the host of the "CSO Perspectives" podcast, which is part of CyberWire Pro. 

Dave Bittner: Rick, this week you are concluding a two-part miniseries on securing the Google Cloud Platform. And I know you've been talking to our Hash Table members about GCP. Where do we stand when it comes to folks preferring Google Cloud over the other two big providers like Amazon and Microsoft? 

Rick Howard: Well, you know, Dave, you would think that question would be simple to answer, wouldn't you? 


Rick Howard: Well... 

Dave Bittner: Uh-oh. 

Rick Howard: As with all things security and I guess most things in general, it isn't. And by the way, when I was in the Army back when, you know, muzzle-loading muskets were what the cool kids had, in one unit, we gave memento plaques to all the departing soldiers. And one - we gave one to everybody. And we put these engraved words in Latin. Here it is. You ready? Nihil facilis est (ph). And roughly translated, nothing is easy, right? And that's... 

Dave Bittner: (Laughter). 

Rick Howard: That's sort of the... 

Dave Bittner: Wow. So upbeat (laughter). 

Rick Howard: Yeah. You know, it wasn't a great unit. What could I say? 

Dave Bittner: OK. 

Rick Howard: So that's the case when we're trying to decide how - where do we want to deploy, you know, our workloads in the cloud. And to a person, all the CyberWire's Hash Table members were intrigued by the way Google had implemented zero trust with their BeyondCorp architecture. But the only member that is actually trying it is my old friend Bob Turner, the CISO for the University of Wisconsin at Madison. 

Dave Bittner: So are they all in there? Are they putting the crown jewel workloads into GCP, or are they just doing a little dabbling? 

Rick Howard: I would split the difference there, OK? Bob doesn't have his crown jewels in there because, like most of the other Hash Table members, he's using AWS for workloads and Office 365 for email and, you know, other things. But he got the opportunity to play with GCP when his university joined a group research project with other universities, and that project is using GCP. So in this episode, we talked with Bob about what he likes and dislikes about the Google cloud environment and the journey his university went on to get there. 

Rick Howard: But if you're looking for the more compelling reason to listen to this episode, you're going to want to listen to Bob's Midwestern sense of humor 'cause he defined some new words for me that I'd never heard of. I'm going to give you three. 

Dave Bittner: Go on. 

Rick Howard: Conditions of weirdness, or COW for short. Let that sink in. 

Dave Bittner: Right. I love it. Yes (laughter). 

Rick Howard: He's from Wisconsin, the dairy capital of the world. So that's where that comes from. 

Rick Howard: Cyber shenanigans, which I really like. But my new favorite security phrase of all time is cyber cow tipping. Yes, that's a thing. 


Dave Bittner: Right. And to find out what it means, you, too, will have to check out... 

Rick Howard: Exactly. 

Dave Bittner: ...The latest episode of "CSO Perspectives." It's part of CyberWire Pro. You can find it on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is the managing director and also the global cyber defense lead at Accenture. Josh, it's great to have you back. I wanted to touch base with you today about the report that you all recently put out - this is the Accenture threat intelligence report - specifically some of the areas in that report that are focused on cybercrime and the cloud. What can you share with us today? 

Josh Ray: Yeah. Thanks, Dave. Accenture Cyber Threat Intelligence team actually just completed a two-year series of research where they were really looking at deep and dark web activity of actors targeting organizations in the cloud. And it might be a big surprise to your viewers, but one of the most common ways that actors are actually getting access to cloud environments is through system misconfiguration and publicly known unpatched vulnerabilities. So, you know, hygiene comes back again as much as it does on traditional IT infrastructure as it does your cloud estate. 

Dave Bittner: You know, I think the thing that always gathers attention in the press are when folks leave, you know, for example, their AWS buckets just hanging out there, you know, open to everyone to view. Is that sort of an edge case that attracts the most attention? How - I guess I'm trying to figure out how prevalent is that. Is that the rare thing that attracts a lot of attention, or is that an ongoing concern for people? 

Josh Ray: I would say it's an ongoing concern, right? I mean, you know, we've seen actually massive amount of API key and credential theft, exploited accounts that have been taken over that are being sold for access, but also insider threats, so, you know, actors that are actively peddling, you know, access to, you know, their corporate infrastructure, unfortunately, as well. 

Dave Bittner: What are some of the specific things that folks need to worry about as they continue this sort of ongoing transition to the cloud? 

Josh Ray: Yeah. It's a great question. I mean, so, you know, obviously, the data that's theirs is an attractive target, especially for ransomware gangs who are looking to extort their victims. But, you know, we help clients securely migrate to the cloud all the time. But what they have to understand is that the journey really doesn't end there. And once you get there, you still have to defend it. You have to treat it as that - you know, just the other part of your business that you need to look after. And this, you know, means doing things like patching and ensuring that, you know, the native security controls are configured and applied correctly. 

Josh Ray: But, you know, one of the things that we really try to stress is that you can't stop there, right? You have to conduct that intel-driven red team exercises and hunts, and you have to have folks that conduct those really proper IR investigations in the cloud. 

Josh Ray: And, you know, Dave, I've seen, you know, really just a lot of examples where, you know, a client's cloud estate, unfortunately, is a visibility blind spot for them. So, you know, one of the things that we're really focused on is making sure that, you know, they have that proper logging enabled. But this is also, you know, important to include their application security logs - right? - and when they're doing that monitoring, they're actually applying the right level of threat intelligence use cases so they can really focus on what's important to the business. 

Dave Bittner: How do you help people manage their threat intelligence feeds, you know, to keep it from being just that - the kind of overwhelming firehose of information? How can they dial it in? 

Josh Ray: That's a really great question. I mean, properly operationalizing your threat intelligence is one of the things that I think a lot of organizations struggle with. And the first thing that they do is they talk about it as a threat intelligence feed when it should be looked at as really an extension of the capability. But it also should be something that you have, you know, a high degree of confidence and trust in. 

Josh Ray: So you really want to think about, you know, understanding strategically what your threat exposure is, what types of threats are going to try to target you, what are the TTPs that are being employed by those threats, and then how does that trickle down operationally to, you know, the right types of security controls and then the right types of tactical IOCs or other type of vulnerability intelligence that you need to, you know, to help your operators apply that intelligence, you know, most effectively? So you really have to be able to look at it at different governance levels and then take a very focused, requirement-driven look at what your organization needs to protect itself best against the threats that are going to impact it the most. 

Dave Bittner: How about the cloud providers themselves? I mean, are they evolving the way that their own tools work, the way their interfaces work to try to help people along with this, to make it easier as they learn where the common sort of blind spots are? 

Josh Ray: Yeah, I think they are, I mean, especially with a lot of the cloud providers that we work with pretty frequently. I mean, look; I think every platform or even product owner is, you know, continuing to take active steps and active measures to incorporate the latest and greatest. 

Josh Ray: But, you know, you really have to think about - in order to maximize that investment, you really do need to have folks that, you know, understand how to apply that product or platform and those controls in the most operational manner. And they're able to kind of continually tweak those controls based on, you know, the latest threat intelligence. So it's not just a one-and-done type of evolution. It's a continuous type of process that folks have to understand they have to undertake. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. A taste of life. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.