The CyberWire Daily Podcast 3.26.21
Ep 1298 | 3.26.21

Carding Mafia hacked by other criminals. Gangland extortion. Section 230 reform. Director NSA talks about cyber defense, especially foreign attacks staged domestically. Propaganda. Hacktivism.


Dave Bittner: Criminal-on-criminal cybercrime. Ransomware hits European and North American businesses. Big Tech goes virtually to Capitol Hill to talk disinformation and Section 230. The head of NSA and U.S. Cyber Command discuss election security and cyberdefense with the Senate Armed Services Committee. Russia complains of a U.S. assault on Russia's civilizational pillars. Accenture's Josh Ray shares his thoughts on securing the supply chain. Our guest is Sergio Caltagirone from Dragos on their 2020 ICS/OT Cybersecurity Year in Review. And there appears to be a minor resurgence of hacktivism.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 26, 2021. 

Dave Bittner: Criminal-on-criminal crime hit the Carding Mafia, an underworld forum in which paycard data is shared, sold and traded, Vice reports. According to Have I Been Pwned, the stolen records included email addresses, IP addresses, usernames and hashed passwords for nearly 300,000 people. 

Dave Bittner: The Record writes that Babuk ransomware has hit the PDI Group, an Ohio-based supplier of material handling equipment to the US and other militaries. Babuk's operators claim to have obtained some 700 gigabytes of files from PDI's internal networks. The stolen data appears to be mostly corporate intellectual property, which the gang threatens to post online if they're not paid. 

Dave Bittner: Also in the Record is an account of a major data breach in the Netherlands. RDC, a company that provides car maintenance and garage services, disclosed that it had been breached. The personal information of more than 7 million car owners is now being offered for sale in a forum that caters to cybercriminals. 

Dave Bittner: Big Tech, social media division, had a day on Capitol Hill yesterday. Quartz reports that Facebook's Mark Zuckerberg asked the House for Section 230 reforms as a necessary step toward enabling social media to control disinformation. Computing quotes him as saying, quote, "Congress should consider making platforms' intermediary liability protection for certain types of unlawful content conditional on companies' ability to meet best practice to combat the spread of this content," end quote. 

Dave Bittner: Google's CEO, Sundar Pichai, and Twitter's boss, Jack Dorsey, also testified. Both emphasized all that their platforms were doing to restrain and moderate disinformation and incitement. They did not join Mr. Zuckerberg's call for Section 230 reform, which suggests that, in the industry, Facebook is on its own. 

Dave Bittner: General Nakasone, director of the NSA and head of US Cyber Command, yesterday told the Senate Armed Services Committee that adversaries increasingly use U.S. infrastructure to conduct their attacks, recognizing that domestic communications constitute a legal blindspot for U.S. intelligence collection, according to Breaking Defense. 

Dave Bittner: NSA, by law and policy, doesn't monitor US networks. Nakasone told the committee, quote, "We should understand what our adversaries are doing. They are no longer launching attacks from different parts in the world. They understand that they can come into the U.S., use our infrastructure and there's a blind spot for us not being able to see them," end quote. It's not necessarily NSA that should be looking at cyber operations conducted from inside domestic infrastructure. It's just that someone should and that whoever does needs the technology and authority to cope with a nation-state adversary. Nakasone said, quote, "What I'm identifying right now is that our adversaries understand that they can come into the U.S. and rapidly utilize an ISP, come up and do their activities and then come down before a warrant can be issued, before we can actually have surveillance by a civilian authority here within the U.S. That's the challenge that we have right now," end quote. 

Dave Bittner: General Nakasone also told the committee, C4ISRNet writes, that Cybercom conducted more than two dozen missions to counter hostile foreign activity against the 2020 US. elections. Quote, "Over the past year, I emphasized the importance of defending the election against foreign interference. US Cyber Command conducted more than two dozen operations to get ahead of foreign threats before they interfered or influenced our elections in 2020," end quote. He didn't specify the adversaries, nor did he go into detail about the nature of the operations Cybercom conducted. 

Dave Bittner: Nakasone cited three lessons learned from recent experience. First, Cyber Command needs to be ready to act. Quote, "Threats can arise rapidly, and opportunities can be fleeting. Our ability to operate successfully in cyberspace is a function of streamlined processes, mission readiness and the trust of our various mission partners," end quote. Second, keeping Cyber Command and NSA under the same leadership brings significant benefits. The closeness brings the speed, agility and flexible responses necessary to readiness. And third, intelligence-sharing with domestic and international partners is vital to successful defense. 

Dave Bittner: A senior adviser to Russia's defense minister described US policy as one of waging a psychological war against Russia that aims to destabilize the country's civilizational pillars, Reuters reports. Andrey Ilnitsky, who advises Defense Minister Sergey Shoygu, said in a television interview, quote, "A new type of warfare is starting to appear. I call it, for the sake of argument, mental war. It's when the aim of this warfare is the destruction of the enemy's understanding of civilizational pillars," end quote. 

Dave Bittner: His account of the US target list is interesting. It includes President Putin personally, the institution of the presidency itself, the Russian army, Russian youth, and the Russian Orthodox Church. He said the United States was also using economic and informational measures in attempts to undermine Putin, the presidency, the Army, the Russian Orthodox Church and Russian youth. Subsequently asked for comment, a government spokesman, Dmitry Peskov, concurred. He said, quote, "A deliberate policy to contain and keep Russia down is being pursued. It is absolutely constant and visible to the naked eye," end quote. 

Dave Bittner: And finally, Reuters points with an appearance of sober, measured alarm to a reappearance of hacktivism on the threat landscape. Hacktivists have, for some time, been the junior member of the threat triad, well behind nation-states and criminals. Indeed, with the long goodbye of Anonymous and LulzSec over the past decade, as they go into the big sleep of co-option by security services or recruitment into cyber gangs, it's grown easy to disregard hacktivism as a serious threat. They are still not nearly as big a threat as either spies or gangs, but hacktivists have recently grown friskier. Three recent incidents, Reuters says, show that hacktivism is being taken more seriously. There are, first, the collection of riot videos from the alternative social network Parler, second, disclosure of the Myanmar junta's surveillance apparat and, finally, the exposure of data from Verkada network security cameras. 

Dave Bittner: The Verkada hack prompted a US federal indictment of one Tillie Kottman, a hacktivist living in Lucerne, Switzerland, who claimed a desire to expose the Orwellian reach of their surveillance state by direct action against security cameras used by corporations and also by schools, houses of worship, and mom and pop stores and so on. Acting U.S. attorney Tessa Gorman sniffed, quote, "Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft and fraud," end quote. And her view is representative of prevailing opinion at the Justice Department. 

Dave Bittner: And Anonymous itself has surfaced, putting in appearances on behalf of BLM protests and against police departments. As an anarchist collective, it's, of course, difficult to identify Anonymous. But at least in a rough and ready way, it appears it's back. An old Anonymous hand, Aubrey Cottle, has returned in action against QAnon, the conspiracy-minded group. QAnon's reported attempt to hijack the Anonymous brand on behalf of its own causes seems to have energized OG Anonymous. 

Dave Bittner: Researchers at ICS security firm Dragos recently published their 2020 ICS security year in review. It's the topic of this week's Research Saturday podcast with my guest, Dragos vice president of threat intelligence Sergio Caltagirone. Here's a preview of our conversation. 

Sergio Caltagirone: We've been doing this report for three years now. Obviously, Dragos has been around for four and a half years. And, you know, really, one thing we've always looked at is other vendors and other members of the community who have been able to put together real data points about cybersecurity. And I think that we all - you know, in this space, we all have all of these anecdotes about stuff happening. And that's great, but it doesn't - anecdotes don't make good policy. And I think that's true almost everywhere. 

Sergio Caltagirone: And what Dragos really wanted to do was say, hey; look. ICS and operational technology, the systems that run our - you know, our power, our water, our food manufacturing plants, and they keep us safe and healthy, and they produce drugs and pharmaceutical factories and so forth - like, we need data about that, too. It's not just about email systems being compromised or, you know, web browsers or, you know, zero-days affecting, you know, your, you know, Zoom or whatever. You know, it's really about, you know, how are we doing in the industrial sector specifically because it is a very unique one. 

Sergio Caltagirone: And so every year now we've done a report, and it's a bear, man. I got to tell you. It's one of the hardest things I do because it takes so much work to really pull apart. You know, after a whole year of work, it's hard to pull apart, like, you know, and step back after you're - like, you know, you fight fires every day. And you step back, and you're like, OK, what is - what really happened this last year - of course, 2020 being unique in that we have all these other global events that have been placed on top of us as well. And so, you know, it was really a good opportunity to step back and ask the question, what's changed? But more importantly also, I think what's important is what hasn't changed and what needs to change. And so that's why we put this together, and we really try to make it data-driven. 

Dave Bittner: In terms of how we take action based on the information that you all have gathered here, to what degree are we behind? Is this a Manhattan Project kind of thing where, you know, we've got to get all hands on deck and work on this? Or is there a more deliberate sort of rational, kind of slow thing where we can plan and say, OK, you know, over the next X number of years, we are going to get to this point as a nation? 

Sergio Caltagirone: Yeah, that's a great question. And I want also to recognize that this isn't a U.S. problem - right? - that this is - this affects 7 billion people worldwide who use industrial control systems for reliable power and clean water and so forth. So, you know, this is a global issue. And when attackers attack a system in, say, India and they affect an industrial control system there, they're learning how they attack industrial control systems elsewhere. So you see that very traditional threat proliferation problem. 

Sergio Caltagirone: And so that's why we treat this as a - we very much treat this as a global issue. The - I think what we've seen is especially with, say, the water treatment facility in Oldsmar, Fla., and with other incidents that happened last year and over the last couple years, I think we're seeing increased urgency. Four years ago, Dave, when I think you and I first talked, this was very much a, hey, things aren't bad, not bad yet. They're going to get worse. We can kind of see that. You know, we have time. I think that that clock is running out on us. And I think that we're not getting better fast enough. 

Sergio Caltagirone: And I think the answer is that we are getting left behind. We had the opportunities four or five years ago to get better, when we knew this was going to be a problem. And I think that we're not yet seeing the amount of acceleration to protect these environments that we should have. And my concern is that this is slowly turning from a, hey, you know, we can do this; it can be methodical; it can be improved; we can get better - and I've got to say, over the next three to four years, this is going to turn into a Manhattan Project. And this is the - we are in a very important situation where we know what we need to do. There is no question that water treatment plants need to be protected. The answer is going to be, what do we do about it? And the answer is, it's coming. Right? It's here, and it's going to come even more. It's going to come more often. 

Sergio Caltagirone: So the answer is we need - first of all, the answer is visibility, visibility, visibility. I've hit it several times in this podcast so far. If you can't see it, you can't protect it. And so with that 90% statistic of most organizations don't even have the basic data to protect themselves, we have to start there. And if we don't start there when we have an Oldsmar, we're going to get stuck in the same situation of something bad happened, but we don't entirely know what or how or when or so forth. And we need to get better at doing that. And that is our first step to understanding the adversaries and then to lay the foundation of greater defensive action as we move forth. 

Dave Bittner: Well, I mean, big-picture take-homes, what do you hope people walk away with after they've read the report? 

Sergio Caltagirone: One is that there should be public pressure generally on public policy-makers to improve the cybersecurity systems of public utilities. That has to be a critical element of what we do. In addition to that, private entities need to recognize the raw data here and say, OK, if we have a major incident, in 90% of the cases, we will have no idea what just happened. And that is not OK if you want to be able to bring a plant back up online safely. And so I think both from a market pressure, from downtimes and industrial operation stoppages and so forth - and disruptions, all the way back to the public utilities need to be protected - we need to have reliable and safe electricity and drinking water and so forth, I think we need pressure on both sides to make industrial systems better. 

Sergio Caltagirone: And so I think that there's a role for everybody. There's a role for people reading this report and listening to you who are like, yeah, I've never touched or I don't even know about industrial systems. Well, you know what? Call your public utility commission and say, what are we doing about this? Right? Talk to your legislators. Talk to your local governments. Talk to people who have control over this happening for your community. You don't want to be an Oldsmar, Fla. And in addition to that, the company leaders who are listening to this need to start looking at the data and say, wow, we have an industrial environment, and this is coming at us like a freight train; we should probably do something about it now. So I think there's something in this report for everyone to take away and do something. 

Dave Bittner: That's Sergio Caltagirone from Dragos. Don't miss the rest of our conversation. It's on "Research Saturday" this weekend. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He's the managing director and global lead of Accenture's cyberdefense business. Josh, it's always great to have you back. Due to things that have been in the news lately, supply chain security has been top of mind for a lot of folks lately. I want to check in with you, get some words of wisdom from you when it comes to supply chain security. 

Josh Ray: Yeah, Dave. Unfortunately, this has been in the news lately and a pain point, obviously, for, you know, a lot of the clients that we're dealing with and helping them kind of work through this. But, you know, supply chain security, whether you're talking about, you know, AvorVor (ph), NotPetya or now even SolarWinds is really about an attack against the trust and confidence of our broader vendor ecosystem, right? And I'm not being overly dramatic when I say that it's actively under attack. But we have to stop thinking about this as if it's an IT problem. This is a business problem that has technical components to it. So, I mean, if it's one of the things that the SolarWinds has really highlighted for us is that, you know, all companies across all industries really now need to take a hard look at the security of its vendors and evolve their security posture to, you know, prevent, detect and respond to these supply chain types of threats. 

Dave Bittner: So how does coming at this from a business point of view, how does that change the way that you'll approach this particular threat? 

Josh Ray: Right. Well, I mean, I think we have to realize that, you know, this is not just for CIOs, right? It's not the IT guy's problem. You know, if you develop or sell a product or a platform, this notion of end-to-end product security absolutely should be top of mind, right? I mean, so you really have to approach it with, you know, a series of both technical and what I would consider probably the - you know, the less sexy types of things that you need to do around maintaining an accurate, you know, third-party vendor inventory or, you know, review risk tiering and so on and so forth. And I think, you know, those are the types of things that, you know, programs - security programs need to adapt really as an end-to-end operational model. 

Dave Bittner: And what about going beyond, you know, compliance? It's - that's sort of the stereotype about, you know, checking the boxes to make sure you're compliant. But I'm thinking like, how many levels down do you need to go to know that you're - to have a confidence that you're secure? You know, I can check my suppliers; what about their suppliers? What about their suppliers? Do you see where I'm going with this? 

Josh Ray: Yeah. No, it can be an endless, you know, rabbit hole that you just keep going down. I mean, you know, so - I'll give you an example. So pen testing, for example - right? - it's important, right? And you need to, you know, adapt a program, you know, an application security program, that takes in and incorporates, you know, let's say, the latest threat tactics, right? So, you know, looking at the SolarWinds attack, for instance, you know, malicious code was injected, you know, at the point where the software was being compiled, right? I mean, so, you know, how do you actually anticipate that? So I think you need to go as far as the threat is going so - or even more importantly, anticipate what that next move is going to be. 

Josh Ray: So we would never have thought, you know, maybe five or six years ago that you have to do that level of triage within your application security testing, but you absolutely have to now be able to do, you know, very in-depth code reviews again and incorporate kind of the latest threat TTPs into that application security program. And then you need to do kind of, you know, broader emulation and test all different parts of your business - right? - everything from C-suite responses to your security operation center, right? So that when there is an activity that requires you to act, you're not acting for the first time in a time of crisis, right? You're able to communicate effectively with the regulator or reach out to your clients and so on and so forth. 

Dave Bittner: You know, I think it's easy for a lot of folks to feel overwhelmed by this. Do you have any recommendations of some specific things that folks can put in place these days to get started? 

Josh Ray: Yeah, I think the first thing that, you know, organizations need to do is assign the proper level of priority to this business risk, right? So they have to create a dedicated function that focuses on this and fund it appropriately so that they can really, you know, protect their organization, right? So that's first and foremost. If executives are out there and they're listening, I mean, this is one of the things that I think you need to do now as a matter of course. 

Josh Ray: But then there's a little bit more tactical things, like reviewing and updating and enforcing your contracts - right? - to make sure that they, you know, define security behavior and breach notification. Assuring vendors security priorities - you know, mirror your own - right? - to ensure that they take security as seriously as you do. And it also kind of - you're able to share your expectations of practices with them. And then there's your normal, you know, audits and reviews that you do. But, you know, not just to kind of drive this idea of compliance but, really, you know, enter into a conversation with your vendors and treat them actually as real partners because it's going to take all of us to really, you know, come together and fight this problem. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Absolutely. My pleasure, Dave. Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - the greatest name in the great outdoors. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.