The CyberWire Daily Podcast 3.31.21
Ep 1301 | 3.31.21

Cyberespionage and influence operations. Reading the US State Department’s mail. Risk management and strategic complacency. Volumetric attacks. Keeping suspect hardware out.


Dave Bittner: Charming Kitten is back and interested in medical researchers' credentials, Russian services appear to have been reading some U.S. State Department emails. Risk management practices and questions about the risks of growing too blase about management. Recognizing the approach of an intelligence officer. Volumetric attacks are up. Joe Carrigan examines a sophisticated Microsoft spoof. Our guest is Donna Grindle from Kardon on updates to the HITECH Act. More concerns in India and the U.S. about Chinese telecom hardware.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 31, 2021. 

Dave Bittner: Charming Kitten, also known as Phosphorous or TA453, the well-known threat actor associated with Iran's Islamic Revolutionary Guard Corps, has resurfaced in a cyber espionage campaign directed against Israeli and US medical researchers. Proofpoint researchers conclude that the current campaign they call BadBlood is phishing for credentials belonging to geneticists, neurologists and oncologists. The campaign uses emails spoofing communications from Israeli scientists. Proofpoint is confident in its conclusions, but also admits that, as is often the case, attribution is based on circumstantial evidence. 

Dave Bittner: BadBlood's objective remains obscure, as The Record points out. Proofpoint told The Record that the pandemic has produced a surge in collection against biomedical research targets. But the specialties said to be of interest to Charming Kitten - genetics, oncology and neurology - don't bear any close and immediate connections to COVID-19 research. Nonetheless, the collection proceeds and continues to prospect senior researchers. 

Dave Bittner: POLITICO reports that Russia's Holiday Bear may have successfully accessed US State Department emails. It doesn't appear that classified communications were compromised, but emails exchanged by Foggy Bottom's Bureau of European and Eurasian Affairs and Bureau of East Asian and Pacific Affairs were apparently being read in Moscow. 

Dave Bittner: Dark Reading has a summary of the current state of knowledge about the Sunburst exploitation of SolarWinds' Orion platform. 

Dave Bittner: The US is still considering its options with respect to response, retaliation, defense and deterrence in what the Atlantic Council characterizes as a "strategic failure." The Council's report said, quote, "the Sunburst crisis was a failure of strategy more than it was the product of an information technology problem or a mythical adversary. Overlooking that question of strategy invites crises larger and more frequent than those the United States is battling today. The U.S. government and industry should embrace the idea of persistent flow to address this strategic shortfall, emphasizing that effective cybersecurity is more about speed, balance and concentrated action. Both the public and private sectors must work together to ruthlessly prioritize risk, make linchpin systems in the cloud more defensible and make federal cyber risk management more self-adaptive," end quote. In particular, the report claims that U.S. government risk management was too heavy on management and too light on defense. 

Dave Bittner: According to the website Stuff, New Zealand's intelligence and security agencies have released guidance to politicians and academics on recognizing and fending off foreign influence operations. The advice is intended to be generally applicable and does not call out particular states since, quote, "the foreign states conducting espionage or interference against New Zealand change over time," end quote. Much of the advice they give would be familiar to anyone who's undergone counterintelligence familiarization or training. Spies approach you, well, the way spies do - seeking to gain your confidence, offering inducements and cultivating you over time. Whether it's done in person or in cyberspace, the process is much the same. 

Dave Bittner: Akamai warns that volumetric distributed denial-of-service attacks are increasing in frequency and severity. Some of the larger attacks recently observed have been conducted in connection with criminal extortion attempts. 

Dave Bittner: Unpatched systems don't simply become a nonissue over time. Vulnerabilities remain exploitable, even if they fall temporarily out of fashion. Quoting Check Point Research, BleepingComputer reports that WannaCry ransomware is back and undergoing a minor resurgence. Check Point itself said, quote, "worryingly, WannaCry, the wormable ransomware that made its debut four years ago is also trending again, although it is unclear why. Since the beginning of the year, the number of organizations affected with WannaCry globally has increased by 53%. In fact, CPR found that there are 40 times more affected organizations in March 2021 when compared to October 2020. The new samples still use the EternalBlue exploit to propagate, for which patches have been available for over four years. This highlights why it's critical that organizations patch their systems as soon as updates are available, end quote. 

Dave Bittner: According to the Economic Times, India's government is moving closer to blocking the country's mobile carriers from using Chinese telecommunication equipment. New Delhi is concerned both about security - and relations with China have grown more tense over recent months - and about fostering the growth of a domestic telecom manufacturing sector. 

Dave Bittner: Chinese hardware manufacturers are also coming under renewed scrutiny in the US. Reuters says that a member of the US Federal Communications Commission has called for tougher measures to exclude Chinese hardware from US networks. Commissioner Brendan Carr called for an outright ban on equipment manufactured by both Huawei and ZTE. Current rip-and-replace restrictions on Chinese telecommunications hardware simply preclude companies from purchasing it with federal funds. Carr calls this a gaping loophole, since it's still permissible to purchase and connect such devices using private funds. He said, quote, "It makes no sense to allow that exact same equipment to get purchased and inserted into our communication network as long as federal dollars are not involved," end quote. 

Dave Bittner: Carr also suggested that such restrictions would be overdetermined in any case. It's fully warranted by security concerns and also on the grounds that the US should avoid trading in goods that may have been produced by forced labor. That second reservation is an allusion to Beijing's repression of ethnic and religious minorities, especially the Muslim Uyghurs in Xinjiang. 

Dave Bittner: Donna Grindle is founder of health care security and technology services company Kardon and host of the "Help Me With HIPAA" podcast. She joined me and my co-host Ben Yelin on the "Caveat" podcast to discuss recent amendments to the HITECH Act and how they might affect practitioners in the space. 

Donna Grindle: So the HITECH Act was signed as part of what we know as the stimulus bill, the ARRA, in 2009, and so it was the health care part of that huge stimulus bill. It included several different things, but the one big thing was funding to help push the health care industry towards electronic medical records because it was lagging behind on technology. And it became known at that time as the Meaningful Use program. And if you were a certified EHR - so all of these vendors jumped into the market to become a certified EHR because if a hospital or doctor's office implemented one and then proved they were meaningfully using it, then they got funding to help pay for the cost of installing and securing and all of those things. So we're talking thousands and thousands of dollars that were rolling in to health care to put these things in. 

Dave Bittner: Is that why my kids' pediatrician and my primary care physician started using tablets all of a sudden? 

Donna Grindle: Yeah, really, and a lot of that goes back to that, yeah. 

Dave Bittner: (Laughter). 

Donna Grindle: You know, just the whole industry started moving. Whether they - the Meaningful Use program applied to them or not, now the industry standard was electronic medical records. Once that kicked in, another part of it was saying, OK, we're going to stiffen up the rules for privacy security. We're going to add enforcement, which was never part of HIPAA, really. I mean, there was. But voluntary compliance, we kind of call it like - it's like a speed limit; it's a really strong suggestion. And so they had changed that. That's where HITECH Act added the enforcement. Everybody yells about $1.5 million today. That's where it came from, as part of the HITECH Act. And that actual enforcement piece is what got the amendment in January 2021. 

Dave Bittner: Help me understand here - and forgive how naive this question is - but do I have a master medical record? Is there one record, or are my record scattered about? And if so, why don't I have a master medical record? 

Donna Grindle: No, you do not. They are scattered about, scattered to the wind. 

Dave Bittner: (Laughter) OK. 

Donna Grindle: And that's why we always say, you can cancel a credit card; you can't cancel your medical record. So medical identity theft is a real problem. People don't understand it until it happens to them. But if I were to, you know, get your information and go and file your insurance and say that I'm you at a hospital in another state, and all of my records get in there, and then you end up, say, in a car accident in that state at that hospital, they'll say, yeah, we've had him here before, and they're going to use my blood type, my - you know, if you're not awake enough to know it. So it can be quite dangerous. But that's why you can't cancel them - because there's not one main one. The reason there's not one main one is that we don't have a main health care system. 

Dave Bittner: (Laughter). 

Donna Grindle: And on top - you know? (Laughter). 

Dave Bittner: I want to log on to a website, Donna. I want to log on to a website. I want to see all my medical records for my whole life. Just let me log on to a website. Why is that so hard? 


Donna Grindle: 'Cause I don't know where your data is. I promise can't find it. 

Dave Bittner: Oh, man. 


Donna Grindle: So, yeah, there's a lot, really, up in the air. And I'm anticipating between now and June a lot's either going to get pushed out, or it's just going to start happening because of the, you know, time frames that are built into the law with this. To me, it's really interesting to see, you know? 'Cause there's just so much to overcome. 

Dave Bittner: Our thanks to Donna Grindle for joining us. You can hear more of our conversation on the "Caveat" podcast. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: I got some interesting research from the folks over at Area 1 Security. This is from their threat research team. And it's titled "Sophisticated Microsoft Spoof Targets Financial Departments." Take us through what they discovered here, Joe. 

Joe Carrigan: So this is actually a very advanced spearphishing campaign. First off, they - one of the things they note is that they are going after people in the treasury organization of businesses and in the C-suite, and they're targeting assistants in those areas as well, like executive assistants. A lot of CEOs, almost every CEO, has an executive assistant, and these people are also being targeted. 

Dave Bittner: Right. 

Joe Carrigan: And the idea is that these guys can get into - if they manage to compromise somebody in the finance department's email, they can start sending out invoices to people with payment instructions that reward the attackers, right? So send - wire this payment directly to this account, and thank you very much. And then the victim company who is a customer of the compromised company then sends a payment to the attackers, and they make off with a huge pile of money. Now, what's interesting in this is the way these guys are going about it. They're using a very sophisticated phishing kit. They are registering domains that are Microsoft look-alike domains. They are registering them quickly and then executing these spearphishing attacks with those domains relatively quickly so that once you determine or it is determined by the security community that this is - this website is part of phishing infrastructure, it very quickly disseminates throughout the community. So they're, you know, making hay while the sun shines, if you will. 

Joe Carrigan: One of the things that's really interesting that they're doing that you don't generally see in phishing campaigns is they're setting up SPF records, which is the secure - Sender Policy Framework. These are DNS entries that are text records that say, yes, this domain is allowed to send email for us. So a lot of times, if you have - you know, you can set up your receiving email to go, let's check and make sure the SPF record for this is OK. If you don't have an SPF record, we're not accepting the email. Well, these guys do have an SPF record for this. So it just bypasses that security check right there. 

Joe Carrigan: You know, it's not - I'm not saying that SPF records are garbage. You know, you should still use them. It's an extra step that people have to go through, but it's not that hard to get around, apparently. 

Dave Bittner: Right. One of the things that caught my eye here was that evidently, these attackers are specifically targeting new CEOs during their transition periods, which - that's fascinating on the social engineering side. 

Joe Carrigan: Right. What's also interesting is the article says that they're targeting these new CEOs before public announcements have been made, right? 

Dave Bittner: Right. 

Joe Carrigan: Which to me says they're already in somebody's email (laughter). 

Dave Bittner: Right. 

Joe Carrigan: There's already some compromise going on. Think about it - I'm the new CEO, but nobody knows I'm the new CEO, maybe my guard is not up as much as it should be. 

Dave Bittner: Right. Well, you're not going to be familiar with what stuff looks like at the new office... 

Joe Carrigan: Right. 

Dave Bittner: ...So you don't know what normal is. So you start getting all - because part of any onboarding, doesn't matter if you're the CEO or the, you know, the intern, any onboarding process is full of an avalanche of documents usually, you know? 

Joe Carrigan: Absolutely. That's right. 

Dave Bittner: So it's read this, sign this, and you're not sure yet - you're not acclimated to what's normal. 

Joe Carrigan: Right. 

Dave Bittner: So that's a great opportunity for people to swoop in and take advantage of that. 

Joe Carrigan: Indeed, it absolutely is. One of the very convincing parts of this phishing kit is that they're sending out policy updates and security updates emails that are fake. And if you click on a link, you're taken to a page that looks like the login page for Microsoft. It even has your company logo on it and your email address. 

Joe Carrigan: And the way they do that is you know, they put the email address into the link, so it's easy to pull it up. But the company logo is pulled from an online service that just displays your logo. So they know - they match your domain with the logo for your domain, and you get a really convincing login page. 

Dave Bittner: Right. So it looks like it might be some sort of enterprise account... 

Joe Carrigan: Right. 

Dave Bittner: ...That's combining, you know, your logo with Microsoft's logo and... 

Joe Carrigan: Exactly. And that's what happens when you log into Microsoft 365 accounts. 

Dave Bittner: Yeah. 

Joe Carrigan: So it's more convincing. Another thing they're doing is they're using - they're sending HTML pages with JavaScript in it - obfuscated JavaScript that just does the credential harvesting for you as an attachment. So if you don't get a PDF, you get it - you get the HTML page that also does all the redirects through the different sites. So you may not even be going out to a server. 

Joe Carrigan: We've talked about this before - I can't remember if it was on the CyberWire daily podcast or on "Hacking Humans" - where a malicious actor sends out an HTML page that then just submits a request - you know, submits the credentials you enter, and they collect your credentials that way. You don't actually have to connect to a web server. 

Dave Bittner: Yeah. Well, it's an interesting report - definitely worth a read here. Again, it's the folks over at Area 1 Security, on their blog. It's titled "Sophisticated Microsoft Spoof Targets Financial Departments." Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Comes with everything you see here. Some assembly required. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.