The CyberWire Daily Podcast 3.19.21
Ep 1293 | 3.19.21

Cyberespionage against Finland. Moscow’s displeasure. ICS security. Two indictments and why the PLA should stick to Buicks.


Dave Bittner: There's no doubt about it. Teachers and educators work extremely hard, and we think you should be rewarded for that. That's why we provide a nice discount to CyberWire Pro to help you stay up to speed on key cybersecurity issues and topics relevant to your lesson planning and for your own evolving education. Many teachers and educators rely on their Pro subscription to unlock access to valuable and quality content to help them save time and stay informed. Contact us today to receive your discount or to get a personalized tour of CyberWire Pro by visiting and click on the Contact Us link in the academic box. That's, and then click Contact Us in the academic box.

Dave Bittner: Helsinki blames Beijing's APT31 for cyber-espionage against Finland's Parliament. Russia withdraws its ambassador to the U.S., calling him home for consultation after the U.S. IC's report on election influence ops. Risk management for industrial control systems and especially for an often-overlooked part of the power grid. Johannes Ullrich from SANS on evading anti-malware sandboxes with new CPU architectures. Our guest is Tony Cole from Attivo on dealing with adversaries already inside your network. A guilty plea in an odd extortion attempt, why China’s wary of Teslas, and the indictment of a hacktivist. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 19, 2021. 

Dave Bittner: The AP reports that Helsinki's domestic security service, the Supo, has identified China as responsible for a cyber-espionage incident that breached Finland's Parliament last year. The intrusion was detected last October, and the investigation has now concluded that the specific threat group responsible for it was APT31, an intelligence unit run by Beijing that's also known as Zirconium or Judgment Panda. Finnish broadcaster YLE quoted a detective superintendent of the National Bureau of Investigation to the effect that the espionage aimed at "acquiring information for the benefit of a foreign nation or to harm Finland." That by itself is uninformative. It's practically a tautology to say that governments spy to advance their own interests at the expense of other governments. So that statement is probably best read as meaning, our investigation is still in progress. 

Dave Bittner: In an apparent expression of displeasure with American policy and public diplomacy, Russia has recalled its ambassador to the United States from Washington, bringing him back to Moscow for consultation. The Wall Street Journal notes that the move came the day after the US intelligence community released its unclassified assessment, accusing Russian President Putin of personal involvement in malign influence operations directed at the 2020 U.S. elections. Mr. Putin isn't happy that the report was as specifically personal as it turned out to be. 

Dave Bittner: The US Government Accountability Office yesterday released a study that highlighted vulnerabilities in the US power distribution system. Many of the risks the GAO describes derive from utilities' increased permission of remote access and connection of control systems to business systems. The report is focused on power distribution and that perhaps warrants some explanation, which the GAO itself provides. The power grid includes three distinct functions. 

Dave Bittner: First, there's power generation and storage. These include both the obvious conversion of various other forms of energy - chemical, mechanical, thermal, radiant or nuclear - into electrical power, and the often-overlooked, by consumers at least, storage of energy in such repositories as batteries or pumped hydroelectric facilities. 

Dave Bittner: Second, there's transmission which connects power storage and generation to the places where the power is consumed. These include such familiar things as transmission lines and electrical substations. 

Dave Bittner: And finally, there's distribution, which is the subject of the GAO's study. Distribution systems move electrical power out of the transmission system and into industrial, commercial, residential and other end users of the electricity. The distribution systems might include distributed energy resources, like the solar panels sometimes installed on houses and networked meters, thermostats, chargers and so forth, at consumers' location. 

Dave Bittner: These are, for the most part, networked industrial control systems. And these, especially as they're found in power distribution, are increasingly exposed to potential cyberattacks. The department has paid more attention to generation, storage and transmission than it has to distribution. And it told the GAO that its general opinion is that the risks are greater in these areas than they are in distribution, that there's a risk here, the GAO says, is clear. What the scope of that risk may be, however, is unclear. And the report asks the Department of Energy to take a closer look at that risk. 

Dave Bittner: A bill intended to enhance cybersecurity for industrial control systems advanced in the US House this week, FCW reports. The DHS Industrial Control Systems Capabilities Enhancement Act of 2021 cleared the House Homeland Security Committee yesterday. The measure, introduced by Representative John Katko, Republican of New York's 24th District, would give the CISA director the lead federal role in identifying and mitigating risks to industrial control systems and process control technologies. FCW suggests that the attempted cyber sabotage of the Oldsmar, Fla., water utility provided the motivation for the proposed law. Representative Katko did allude to Oldsmar in talking about the bill. Quote, "these systems operate many vital components of our nation's critical infrastructure and remain under constant attack from cyber criminals and nation state actors. As we saw recently when a Florida water treatment facility was targeted, these attacks can have devastating real-world consequences," end quote. 

Dave Bittner: CISA continues to try to help both government agencies and the private sector secure their systems against recent severe threats. For one thing, CISA has released CHIRP, the CISA Hunt and Incident Response Program forensics collection tool the agency developed to help organizations find indicators of compromise CISA has associated with SolarWinds and the Microsoft 365/Azure environments. 

Dave Bittner: In thinking about risk, it's, of course, a truism that there are three things you can do with it. You can accept risk, you can manage risk or you can transfer risk. We were able to attend Wednesday's session of the Johns Hopkins University's seventh annual Virtual Cybersecurity Conference, the second of a planned three. The presentations took up the latter two as experts described how to reduce risk, fix liability for it and arrange insurance that covers such risk. Our account of Wednesday's conference takes you through the presentations. You can find that on our website. 

Dave Bittner: The draft of NIST SP 1800-22 Mobile Device Security: Bring Your Own Device is out and open for comment until May 3, 2021. It's a practice guide designed to help organizations protect their data and their personal privacy of their personnel while their people use personal mobile devices to get work done, as so many are doing during the pandemic. 

Dave Bittner: We're used to ransomware being installed by phishing or water holing or other online social engineering. But, sometimes, the social engineers go old-school and try to do the convincing in person. That has its own perils for the scammer as well as the scammed. Witness one Egor Igorevich Kriuchkov, 27 years young and a Russian national. Mr. Kriuchkov has taken a guilty plea in the US District Court for the District of Nevada, copping to conspiracy to get a Tesla employee to introduce malware into his company's systems. Mr. Kriuchkov and his co-conspirators intended to use the malware to steal corporate information, which they then hold hostage, threatening to release it if they weren't paid a generous consideration for returning it unreleased. The employee reported the approach to Tesla, who reported it to the FBI, who got the goods on Mr. Kriuchkov. Sentencing is scheduled for May 10. 

Dave Bittner: Speaking of Tesla, The Wall Street Journal reports that China intends to restrict military and state employees from driving them. It would be easy to dismiss this as a mean-spirited shot in the ongoing Sino-American competition. But despite all the stick the government in Beijing takes in this podcast, in fairness, we have to say that they're not crazy to have security concerns. Late-model cars have lots of sensors and connectivity, and the Teslas are more fashion-forward in this than any other marque we can think of off the top of our head. A Tesla is a sweet ride. But from another point of view, it's also a big mobile sensor package chattering in somebody's cloud. Even grim regimes have legitimate security concerns. If in 1999, NSA could tell its people to keep their Furbys out of Fort Meade, Furbys tending to repeat the things they hear, then it seems fine for the People's Liberation Army to tell the troops to drive their Buicks to work instead. Leave the Tesla home in the carport. 

Dave Bittner: And finally, Swiss hacktivist Tillie Kottmann, the one who claimed responsibility for the Verkada security camera hack, has been indicted by the US Justice Department on federal charges of conspiracy, wire fraud, and aggravated identity theft. The Verkada caper was just the last straw, if it was even that. Kottmann's apparently been acting as a malign nuisance for some time, if the Justice Department has it right, at least since 2019. Kottmann has told the Record, among others, that the data Kottmann obtained came from misconfigured GitLab and Bitbucket Git servers but also from SonarQube source code management apps. Justice says that's not the whole story or even the main story. Some of the data Kottmann is alleged to have obtained and subsequently used included improperly obtained employee credentials. 

Dave Bittner: What were the alleged motives? More the pursuit of cachet than cash, apparently. The Justice Department says promotion of Kottmann's own reputation in the hacking community was a goal. How that weighed in comparison with the hacktivist desire to strike a blow against contemporary surveillance practices remains to be seen. 

Dave Bittner: There's a line of thinking in cybersecurity that basically says, assume you have already been breached, operate as if the adversary is already in your system. Of course, there's nuance to this argument. And joining me to discuss that is Tony Cole. He's chief technology officer at Attivo Networks. 

Tony Cole: For those of us in the business, most of us have realized this for a long period of time. We don't know who's inside the environment today. SolarWinds is really - you know, and I hate to use the term 'cause we've said it so many times over the last couple decades, but it truly should be a wake-up call that we need to be cognizant of the fact that the adversary, sooner or later, is going to get inside the environment. And we need to be aware of that and build an assumption of breach mentality. And by that, I mean we need to really start instrumenting on the inside of our networks, prevent what we can, but focus on detection as well so that we can catch them, knowing that they will break in sooner or later. 

Dave Bittner: Well, let's dig into that. I mean, what sort of things are available that you recommend for detecting these sorts of things? 

Tony Cole: Well, I think that there's a lot of pieces that we need to focus on today that, you know, get some coverage, but not near enough. You know, when you look at lateral movement, MITRE has done some tremendous work, and NIST has as well, you know, with 800-53 Rev 5. You know, and those controls, I'm sure your listeners know, feeds into the cybersecurity framework. 

Tony Cole: You know, they've started to focus on deception. MITRE has now built an active defense, you know, structure called MITRE Shield that's the counter to MITRE ATT&CK. And both of those teams now do some work around deception, and MITRE Shield truly does a tremendous amount of work around deception, has a whole deception team there led by Dr. Stan Barr. And those pieces are really important to instrument inside your environment and look for that lateral movement. 

Tony Cole: The other piece that's critically important is the SolarWinds breach that just took place and really tells us why we should also be focusing on active directory. That's been a problem for a very long period of time. Most red teams and attackers, that's one of their first targets they go after, and yet very little is done on the defensive side for active directory. So that is a critical, critical point, looking at that, protecting it and stopping privilege escalation. 

Dave Bittner: You know, I can imagine a lot of folks feeling a bit overwhelmed when you look at something like SolarWinds and you try to imagine, you know, how far down my supply chain do I have to go to verify, you know, that there's security there? But I suppose to a certain extent, if really what you're focusing on is behavior, that helps take away that concern. You don't have to be so concerned with that. You're keeping an eye on what's going on under your own roof. 

Tony Cole: Yeah, absolutely. And, you know, we all know the old saying trust but verify. And I think in this instance, we kind of need to turn it on its head. And, you know, you can continuously verify and then trust. But even after you trust, you need to still keep verifying, you know, across the board that there's no malicious actors inside the environment and they're not moving laterally or escalating privileges. 

Tony Cole: And I think it's going to continue to be a problem for a long period of time. I heard a number of speeches on this. And I won't name names of companies, but people talked about, you know, this is the most significant breach, you know, in history that we know of. And to me, mentally, I chuckle, and I've got a lot of old other graybeard friends that - same thing - that chuckle, because what no one ever says, and they should, is that we know of, you know? 


Dave Bittner: And so far. 

Tony Cole: Right. Yeah, exactly. 

Dave Bittner: (Laughter) Right, right, right. Yeah. 

Tony Cole: So, you know, what other existing ones are out there? I mean, there's a lot of other, you know, very deeply penetrated into enterprises out there, you know, different technologies, different software, you know, suppliers that, you know, we don't know if that technology is good. Unless you're looking for that lateral movement inside your environment and you're stopping privilege escalation in its tracks, then you simply don't know. So that's just a critical piece for people to focus on and I think why we've seen NIST and MITRE really double down on it in the last three years. 

Dave Bittner: You know, again, going back to that person who may feel a little overwhelmed, you know, overworked and underresourced, where should they start? How do you - what are your recommendations for where to begin? 

Tony Cole: Yeah, that's a really great question. You know, the EDR technology is good, you know, and there's - that's an easy area to focus on because everybody knows endpoints are an important piece. The perimeter is gone. You know, with the pandemic ongoing, the little bit of perimeter we had left has been blown away. You know, down the line, we're going to have pretty much cloud and endpoints. So focusing on the endpoint is a great first start, you know, in an area that most defenders know very, very well. 

Tony Cole: So upgrading that endpoint technology, EDR, and then adding additional pieces onto that endpoint that can help you protect active directory and help you detect lateral movement very quickly, you know, those can be a fantastic addition, you know, that will stop the adversary very, very quickly. So you're literally building instrumentation inside your enterprise via the endpoint to detect when somebody is on those systems, and you're not trying to completely - from a preventative fashion. Instead, you're focusing on an additional level of effort on detection, all in an area that the, you know, defender already knows, from the endpoint security perspective. 

Dave Bittner: That's Tony Cole from Attivo Networks. There is a lot more to our interview. Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro. It's on our website, 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, it's great to have you back. 

Dave Bittner: You know, my attention has been caught recently by Apple's release of their Silicon Macs based on ARM architecture. And I'm curious what your insight is on what sort of effect this could have on evading malware. Are the malware folks taking notice of these new processors and potentially the, you know, the opportunities therein? 

Johannes Ullrich: Yeah. And I think that surprised me, too, how quickly malware actually was released optimized for Apple Silicon, as it's sometimes called. There was initially no real sort of good reason for it. Apple did a pretty good job with its Rosetta software to make it seamless for x86 software to still work on these new Apple Silicon Macs. So performance usually isn't a big problem either for malware. 

Johannes Ullrich: So the big question was why? And one of our (unintelligible) readers actually provided a real good reason, and that's anti-malware. A lot of advanced anti-malware these days have sort of some kind of sandbox component where it runs a particular sample that it receives for a while and then does some behavioral analysis on it. And that's sort of how a lot of the good exploits are found these days. 

Johannes Ullrich: But then again, one big shortcoming of the Apple Silicon architecture right now is that there aren't really any great virtualization platforms to actually set up these sandboxes. So in short, if you compile it for an Apple Silicon architecture, the malware will not run in these sandboxes. Behavioral analysis will not work. And the end effect is that, well, it may pass the filter. 

Dave Bittner: Is this - should we expect this to be a closing window, that eventually these sorts of things will run on Apple Silicon and so it won't be effective anymore? 

Johannes Ullrich: I hope so. Now, I expect there is at least, like, a year or so where we don't really have sort of any out-of-the-box commercial sandbox technology for it, maybe even longer. It doesn't appear to be trivial to do this sort of cross-platform virtualization. There are some open-source products that do some of this, like QEMU and such, but they're not terribly straightforward to get going. 

Johannes Ullrich: You know, in the past, we had sometimes these other platforms being used for IoT devices, like these famous Mirai-style bots. They usually came in different varieties. But that kind of malware you're not typically concerned about running in a sandbox. It's usually the one that affects the end user, that affects your general computing platforms. And, yeah, up to now, that was pretty much an x86 world that has really had some inroads from ARM only in the last year or so. And, of course, the big one now was with Apple's new processor. 

Dave Bittner: So if you're someone who's taking advantage of these new processors from Apple, what should your approach be? How should you best protect yourself? 

Johannes Ullrich: Well, probably the best approach is if it's an attachment and if it's an executable, block it. Don't allow it in. I get an awful lot of weird attachments myself, of course, you know, doing research and such. I don't remember the last time someone sent me an executable. And people sometimes send me, intentionally, malware. And by the way, if anybody's listening, I love malware. Send it my way. But... 


Johannes Ullrich: Really hard to get action (ph) executable. So just block it. 

Dave Bittner: Be careful what you ask for, Johannes. 


Dave Bittner: All right. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It takes grease out of your way. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: If you're looking for a fun way to fill part of your weekend, do check out "Research Saturday" and my conversation with Jen Miller-Osborn from Palo Alto Networks' Unit 42. Our conversation focuses on BendyBear, a novel Chinese shellcode linked with cyber-espionage group BlackTech. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.