Apparent cyber sabotage at Natanz. Arrest made in alleged plot to blow up AWS facility. Scraped data for sale in criminal fora. US senior cyber appointments expected soon.
Dave Bittner: Iran says Israel was responsible for sabotaging the Natanz nuclear facility yesterday, and Tehran promises revenge. Online plotting results in the arrest of a Texas man alleged to have planned an attack on an Amazon Web Services center. Scraped data from LinkedIn and Clubhouse are being hawked online. Andrea Little Limbago from Interos addresses asymmetric power within cyberspace and how that plays out in warfare. Our guest is Giovanni Vigna from VMware on the takedown of the Emotet infrastructure. And the U.S. moves to fill senior cybersecurity positions.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 12, 2021.
Dave Bittner: Two kinetic incidents of importance surfaced over the weekend. Both had at least one foot in cyberspace. In the first, Iran's Natanz nuclear facility sustained an apparently deliberately planned explosion and power outage Sunday, according to The New York Times. Iran had just begun, on Saturday, injecting gas into the new-generation uranium enrichment centrifuges at Natanz. Testing marked National Nuclear Day in Iran.
Dave Bittner: A member of Iran's Parliament said, quote, "The blackout in Natanz on the anniversary of National Nuclear Day is suspicious and may be due to sabotage while Iran is trying to convince the Western countries to lift the sanctions," end quote.
Dave Bittner: While decrying the outage as sabotage and an act of terror - even nuclear terror, since Natanz is a nuclear facility, specifically one devoted to uranium enrichment - Iranian authorities did not immediately assign blame. Israeli media, however, unofficially attributed the incident to an Israeli cyberattack and cited anonymous Western intelligence sources as telling them that the sabotage had been a Mossad operation. Whether those sources were Israeli or from other countries is so far unknown. The Wall Street Journal reports that this morning Tehran did the same and promised revenge against the Zionists.
Dave Bittner: So there's no longer any doubt about whom Iran sees as responsible for the explosion. The Washington Post quoted an unnamed senior U.S. official as saying, "We have seen reports of an incident at the Natanz enrichment facility in Iran. The United States had no involvement, and we have nothing to add to speculation about the causes," end quote.
Dave Bittner: Israel, of course, didn't and isn't expected to publicly avow any role in the incident. CNN, reading between the various lines, thinks that Israeli army Chief of Staff Aviv Kochavi alluded to the operation in a sideways fashion a few hours after Iran reported the explosion when he said in a speech that Israel's, quote, “operations throughout the Middle East are not hidden from the eyes of the enemies," end quote. He added, "They are watching us, seeing the capabilities and carefully considering their steps," end quote.
Dave Bittner: The Natanz facility, which Iran maintains is a peaceful nuclear research facility, but which many observers think is a nuclear weapons development operation, has been subjected to cyberattack before. The Stuxnet tool, widely believed to have been developed by 2009 and subsequently introduced into Natanz in a joint Israeli-U.S. operation, disabled centrifuges at the installation by affecting the Siemens programmable logic controllers used in the enrichment process.
Dave Bittner: The other incident involved the arrest, Thursday, of a Texas man whom the FBI says attempted to buy explosives from an undercover FBI employee, allegedly intending to blow up an Amazon Web Services facility in Virginia. BleepingComputer says that the Bureau identified the man's plans from posts he'd made in January on the MyMilitia site. A third party also tipped off the FBI that the suspect, one Seth Aaron Pendley, had communicated in a Signal message an interest in buying C4, the Record reports. C4 is a kind of plastic explosive which uses RDX as its principal ingredient. It's a military explosive that's also been used in terrorist bombings. The Justice Department said in a Friday press release announcing the arrest and the charges that Mr. Pendley explained in a Signal message that he was planning to use C4 to attack Amazon's data center, which he felt would, as he put it, kill off about 70% of the internet. Of course, to use C4, one must get C4. And one of Mr. Pendley's online contacts, one whom Justice describes as a confidential source, put Mr. Pendley in touch with a potential supplier, who was, of course, an undercover FBI employee. According to the Justice Department, quote, "In recorded conversations, Mr. Pendley allegedly told the undercover he planned to attack web servers that he believed provided services to the FBI, CIA and other federal agencies. He said he hoped to bring down the oligarchy currently in power in the United States," end quote. When he met the undercover employee on April 8, Mr. Pendley picked up what he believed to be explosives but which, in fact, were just inert materials. He had the undercover employee show him how to arm and detonate the phony explosives. And he then loaded them into his car, at which point the FBI arrested him.
Dave Bittner: Information from both LinkedIn and Clubhouse is being offered for sale in criminal markets. In both cases, the data appear to be publicly available and to have been scraped. Both LinkedIn and Clubhouse have convincingly denied being breached. The data on offer appear to be what the media's users would have themselves made public.
Dave Bittner: And finally, President Biden will appoint NSA alumni to senior cybersecurity posts, The Washington Post reports. Chris Inglis will serve as national cybersecurity director. And Jen Easterly will serve as CISA director. Easterly was among the NSA officials involved in establishing U.S. Cyber Command almost 10 years ago. Inglis has served for eight years as NSA executive director, the second-ranking official in the agency. As the first national cyber director, a role created late last year by Congress in response to recommendations developed by the Cyberspace Solarium, his role will be coordination of civilian agencies' cyberdefense and review of the relevant portions of their budgets. The position is outside the National Security Council. And so Inglis will not be responsible for overseeing offensive cyber policy as executed by military services and the intelligence community.
Dave Bittner: The recent international law enforcement effort to take down the Emotet botnet has, by all accounts, been remarkably successful. Time will tell if Emotet's operators are able to reconstitute the botnet or who might step in to fill the vacuum left in the takedown's wake. Giovanni Vigna is director of VMware's NSBU Threat Analysis Unit, and he joins us with insights on what he and his team have been tracking.
Giovanni Vigna: Emotet is one of the most prevalent malware. And it has been around for a substantial amount of time and has evolved in many different ways. I mean, this is common with malware. There are groups that are responsible for a piece of malware. Often, they sell access through their malware - so, like, installation as a service. Sometimes, they change their tactics. Sometimes, they change their code to avoid detection, to avoid being profiling (ph). So, actually, it's a big part of any threat intelligence analyst to sort of, you know, follow this lineage and understand how a particular threat evolves. However, this particular threat was egregious because of the size of the pool of machines that were infected and the success that it had in collecting victims and therefore data that was then monetized in many different ways, from information - personal information, access to credit card fraud, from banking fraud to ransomware. The whole system had different aspects depending on the time and place.
Dave Bittner: How successful has law enforcement been in their takedown of Emotet?
Giovanni Vigna: I think they've been very successful. Of course, you know, the real success in this operation is the apprehension of actual human beings. So this can really stop when people are in jail. Of course, you can also really destroy or - destroy - dismantle, I would say, the infrastructure. And that's what we observe in our telemetry. So just to give you a little bit of background as being the threat intelligence group under my direction, we keep tabs on what we call the threat landscape. And so we constantly look at data that comes from our customers, from the open-source environment to see, what are the most seen pieces of malware? What are the most common type of C&C communication? And we have, of course, Elasticsearch and a bunch of different algorithms to identify, what are the most relevant threats? And we saw with the takedown Emotet for being, like, the most obvious, prevalent threat to completely disappear. And so this is a sign based on data since we're data scientists, two, that, actually, the takedown was effective. However, we will only know in the months following when we will see, for example, arrests, convictions for actual operators of this type of threat.
Dave Bittner: That's Giovanni Vigna from VMware's NSBU Threat Analysis Unit.
Dave Bittner: And joining me once again is Andrea Little Limbago. She's the vice president of research and analysis at Interos. Andrea, it's always great to have you back. You know, I am fascinated by the asymmetry of power within cyberspace, how things in cyber allow folks who otherwise would not have been able to have the influence on the world that they would have to have now. In the old days of, you know, building battleships and aircraft carriers - you can have influence in cyber without having to build a battleship or an aircraft carrier, right?
Andrea Little Limbago: No, absolutely. And it really - it's one of the aspects, I think, of cyber that gets overlooked quite a bit. We say a lot, you know, the notion of asymmetric power. And we think very often of, say, North Korea and Iran, even Russia, if you look at their economy size, to have really this outsized impact on global affairs. And it's really changing warfare and geopolitics enormously, I think much more so than is normally appreciated. And we have this big push right now on major power competition. And that's 100% understandable. Absolutely, there are a lot of areas of competition going on between the U.S. and China. But I worry that we'll lose sight on how other trends may be going on, especially through this notion of asymmetric power and how that's also shifting geopolitics. And so that's just something I've been looking at a little bit, especially when thinking about not just through cyber but also cyber in emerging technologies and how they're integrated together and how that's really changing the evolution of warfare really, really quickly. It's one of the things that a lot of people think is more so in science fiction, you know, 10, 20 years from now, maybe at the earliest. But it's - really, it's going on now. And so it would be unfortunate to overlook it. I think also, it would be myopic because it's going to be disrupting all aspects of both, you know, national security, economic security, global trends, all of those. It's having - it's reshaping a lot of different aspects of the world right now.
Dave Bittner: Can you give us some examples?
Andrea Little Limbago: Yeah, definitely. The one that I've been looking at a bit is the use of drones in warfare. And, again, it's one of those things - you know, several years ago, a drone was associated with an attempted coup in Venezuela, if folks remember that. And then kind of didn't hear about drones very much so other than, again, in sort of these stories that we're looking ahead. But what we saw over the last year was signs of drones being used in numerous regional conflicts in, you know, a couple of - you know Armenia and Azerbaijan - a conflict going on there. There's drone footage that was identified as having a potentially decisive role in the outcome of that. And wanting to know - you can think both through the lens of warfare and that - some were even saying it to the point that it made tanks irrelevant. And so I'm not sure I'd go that far quite yet. But when you do have a drone, you're targeting tanks that - you know, that mental model really does have to shift very quickly in looking at how technology is shaped and innovation are reshaping warfare. So that's just one example. In the Tigray Region in Ethiopia, there've been claims of drones there. There was some footage posted on social media in Western Sahara and Morocco, where there's a fight over territory. And that's actually this - you know, a lot of these are fights over territory, which is also something that's reemerging. And I think that this asymmetric notion of power is actually helping that. There, as well, there were some drones used and in that regional conflict. And so that's just over the last year. And I imagine we'll see many more in the years to come. But when you look at that, it's the one - you know, it's shifting the nature of warfare. It's also shifting the nature of, you know, who's making these drones, right? So it gives the power to those who are the ones largely making all these drones. And right now, China really has quite a lock on a lot of that market, although in these conflicts I just mentioned, some of the producers range from, you know, UAE to Turkey or Israel. So it's - you know, there are a lot of companies - or countries out there making them. And there actually right now are about a hundred countries that have drone capabilities on a military end. So it's not something that, you know, is just a few and far between because it's so - because it's cheap to have a outsize impact, you know, it's another area. But you can imagine down the road, what happens when drones get compromised?
Dave Bittner: What about in terms of setting policy for conflict in general? I mean, I'm thinking that, you know, a nation might have much less resistance to starting a war if we don't have to send soldiers. We don't have to send pilots. We don't have to send sailors - that all that can be handled by these, you know, remote vehicles and even robots, you know?
Andrea Little Limbago: Yeah, well, I mean, there have been some studies already. I mean, there's some websites that track the U.S. usage of drones, which has, you know, increased quite a bit over the last decade. And there has been some additional studies showing that by taking the human out of the loop, it does make people - you know, policymakers, leaders less restricted in their use of it. And so I do think that there's a whole lot of, like, human and ethical components that go along with it and more policies that need to be made to regulate, basically, the proper use and the rules of warfare, you know, going ahead and when one might be acceptable as far as, when is it justified as far as within the terms of warfare? And when is it unjustified? And that's - you know, that's something that's been a challenge throughout history as technology changes and evolves. You know, what is just and unjust warfare? And this is, you know, the latest example. And it's starting to get some attention. But, you know, there's a whole lot more work that needs to be done in that area because, I mean, it's absolutely right. When you take your own human loss out of it, it does alter the calculus, very much so.
Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. You asked for it. You got it. Listen for us on your Alexa smart speaker, too. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team Is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.