The CyberWire Daily Podcast 4.15.21
Ep 1312 | 4.15.21

Imposing costs and sending signals (and prominently naming Cozy Bear). More speculation about the Natanz explosion. And a shift in the criminal-to-criminal economy.


Dave Bittner: The U.S. announces a broad range of retaliatory actions designed to impose costs on Russia for its recent actions in cyberspace. More reports on the Natanz incident suggest that a buried bomb was remotely detonated. David Dufour from Webroot has a wake-up call on digital privacy. Our guest is Ganesh Pai from Uptycs on MITRE ATT&CK Evaluations. And IcedID is taking EMOTET's place in the criminal ecosystem.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 15, 2021. 

Dave Bittner: Today's cyber news is dominated by this morning's announcement of a broad range of U.S. responses to Russian operations in cyberspace. The U.S. administration this morning announced a long-expected set of measures designed to impose costs on Russian threat actors for both election influence operations, for the SolarWinds compromise and for other cyber campaigns. The steps taken include sanctions and diplomatic expulsions and, of course, naming and shaming. 

Dave Bittner: U.S. President Biden signed an executive order today intending, quote, "to demonstrate the administration's resolve in responding to and deterring the full scope of Russia's harmful foreign activities," end quote. The White House statement frames the order as a signal that the United States will impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions. 

Dave Bittner: The objectionable Russian actions include efforts to undermine elections and democratic institutions and that elections not only in the U.S., but voting in unspecified allied countries. It also includes various other violations of international law, including respect for the territorial integrity of states. 

Dave Bittner: Russia's continuing occupation of Ukrainian territory in Crimea is the principal offense against territorial integrity. The White House cites the cooperation of the European Union, the United Kingdom, Australia and Canada in imposing sanctions against eight individuals and entities associated with that occupation. With tension rising between Russia and Ukraine and with menacing Russian troop movements in the region - unilateral Russian provocations along the line of contact in eastern Ukraine, in occupied Crimea and along Ukraine's borders, the White House statement calls them - the administration made an unambiguous statement of support for Ukraine, quote, "the transatlantic community stands united in supporting Ukraine against as well as agreeing on the need for Russia to immediately cease its military buildup and inflammatory rhetoric," end quote. 

Dave Bittner: The White House, NSA, the FBI and CISA all formally attributed the SolarWinds compromise to Russia's Foreign Intelligence Service, the SVR. To make the attribution utterly clear, they cite the names industry has used to refer to its cyber operations - APT29, Cozy Bear and The Dukes. That attribution is offered with high confidence. The administration notes that this software supply chain compromise gave the SVR the ability to either spy on or disrupt more than 16,000 systems worldwide and that most of the affected systems belong to the private sector. 

Dave Bittner: NSA's statement described mitigation of known vulnerabilities in the SolarWinds Orion software supply chain, WellMess malware used against COVID-19 researchers and network attacks exploiting a VMware vulnerability. NSA's Cybersecurity Directorate tweeted a warning that Russia's SVR is actively exploiting five publicly known vulnerabilities against U.S. and allied networks. NSA's director of cybersecurity, Rob Joyce joined us on the line earlier today and provided this statement. 

Rob Joyce: Today, NSA released a joint advisory with the FBI, and DHS' CISA. We highlighted cyber vulnerabilities that have been the target of exploitation by the Russian Foreign Intelligence Service, the SVR. The vulnerabilities in today's release are part of the SVR's toolkit to target networks across the government and private sectors. We need to make SVR's job harder by taking them away. NSA is urging rapid mitigation by system owners to make attempts at malicious actions less likely to succeed. 

Dave Bittner: The SolarWinds incident is particularly troubling because it was a software supply chain compromise that enabled organizations to be targeted easily and at will. The White House thinks this should serve as a warning about the risks of using information and communications technology and services supplied by companies that operate or store user data in Russia or rely on software developments or remote technical support by personnel in Russia. To address those risks, the U.S. government is considering action under Executive Order 13873, the better to protect the information and communications technology and services supply chain against Russian exploitation. 

Dave Bittner: The U.S. State Department is expelling 10 Russian diplomats in connection with this activity, the AP reports. The White House statement says the 10 come from Russia’s diplomatic mission in Washington, and include representatives of Russian intelligence services. 

Dave Bittner: And the U.S. Department of the Treasury announced today that it was sanctioning 16 entities and 16 individuals who attempted to influence the 2020 U.S. presidential election at the direction of the leadership of the Russian government. Four front media organizations associated with three Russian intelligence and security services are singled out as disinformation shops - SouthFront - the FSB - NewsFront - FSB - InfoRos - GRU - and the Strategic Culture Foundation - SVR. Pursuant to today’s executive order, Treasury now prohibits U.S. financial institutions from participating in the market for any bonds Russia might issue after this coming June 14. Six Russian tech companies that support the Russian intelligence services’ cyber programs are being sanctioned. 

Dave Bittner: And, of course, the actions taken by the U.S. today have implications for the evolution of international norms of conduct in cyberspace. The White House statement affirmed the importance of an open, interoperable, secure and reliable internet, which it regards as a goal shared by most of the international community - U.S. allies and partners in particular - but which Russian actions undermine. 

Dave Bittner: To foster the development of a stable, secure cyberspace, the White House outlined two actions. Quote, "first, the United States is bolstering its efforts to promote a framework of responsible state behavior in cyberspace and to cooperate with allies and partners to counter malign cyberactivities," end quote. An important part of that will involve training, for policymakers and international lawyers, on the policy and technical aspects of publicly attributing cyber incidents. The U.S. will begin organizing such training at the George C. Marshall Center in Garmisch, Germany. The training will extend beyond the details of attribution and cover international norms of conduct in cyberspace. 

Dave Bittner: Second, the White House says they are reinforcing their commitment to collective security in cyberspace. This involves joint military training in Cyber Flag 21-1, a combined exercise that aims at improving cyberdefense capabilities and resilience. The U.K., France, Denmark and Estonia at least will participate. 

Dave Bittner: The Jerusalem Post reports that the sabotage at Iran's Natanz uranium enrichment facility, widely attributed to Israel by both the Iranian government and Israeli media, was produced by a remotely detonated explosive device. 

Dave Bittner: And finally, January's Emotet takedown by law enforcement left a gap in the criminal ecosystem, now being partially filled by the IcedID gang, the Record reports. IcedID began with familiar spam campaigns back in 2017, distributing what the Record calls a classic banking Trojan. But it’s evolved and now functions as a malware-as-a-service operation. 

Dave Bittner: Our own Rick Howard checked in with Ganesh Pai from Uptycs for his views on MITRE ATT&CK Evaluations. Here's Rick Howard. 

Rick Howard: I got the chance to talk to Ganesh Pai, the CEO of Uptycs, an SQL-powered security analytics platform, about his company's recent participation in the MITRE ATT&CK Evaluation Program. This relatively new program from MITRE invites security vendors to bring their solutions into an environment so that the MITRE lab rats can throw actual adversary campaigns at them to see if the vendor can detect and prevent them. In this evaluation, MITRE deployed the attack campaigns used by the adversary group FIN7, also known as Carbanak, a financially motivated threat group that has primarily targeted the U.S. retail, restaurant and hospitality sectors since mid-2015. I asked Ganesh why he thought the MITRE ATT&CK campaign was good for the industry. 

Ganesh Pai: It's one of those approaches where there is a third party who is neutral and objective. They have a common evaluation criteria, and they call it as MITRE ATT&CK Enterprise Evaluations. They set up an environment, and they work with the vendors to say, do your best. We're going to be doing this three kinds sort of things to do something malicious, and we'll see how well your solution measures up against the framework. 

Ganesh Pai: So they're doing two things - one, giving you a nice framework so that everyone uses the same language. And second, they provide an approach for evaluation where there's a third party objectively providing a quantifiable approach to demonstrating value. They don't rank stack you; they just collect all the data as a part of their findings and present it. And what's nice is they allow those who want to procure technology to objectively evaluate the outcomes. We placed a bet on this quantitative approach to measure even the efficacy of a solution because given the number of vendors out there, we wanted to stand out. And as I said, for us, to show something demonstrable in a quantifiable way was important. 

Rick Howard: In these kinds of things, disagreements between the evaluator and the evaluated always happen. I asked Ganesh about how Uptycs worked things out with MITRE when they did. 

Ganesh Pai: They upfront said Carbanak and FIN7 are the two techniques and tactics that we're going to be evaluating vendors against. They also outlined the tier (ph) is around 159 or 160 or - that we expect you to hit relative to the number of detections. When we actually went into the evaluation, our experience was actually very nice. They were quite objective when there was any disconnect, and the disconnect was very straightforward. We might not have set a flag right or tuned something because we had the ability to capture the telemetry, but we may not have displayed a finding for one out of the 160 or something with that. And they were nice enough to say that this is what we did - visibly see on the screen. We looked at it and said, look; oh, here is this tuning flag which was missing. We set that right. And we were fortunate that then they said, yeah, this looks good. Other people's mileage might vary. But if we were to use our engagement, it might view it as a very pleasant and a very collaborative one to iron out any differences in opinion. 

Rick Howard: Clearly, for a vendor, this is an investment in time and resources. I asked Ganesh what it took to get ready. 

Ganesh Pai: They outlined what the set of techniques are as a series of columns which are laid out one after the other. And then there is the notion of tactics. Given a technique for a given subtactic, there can be 10 or 15 or even more approaches to doing the detection of that tactic. 

Rick Howard: If anybody has heard me speak before, you know that I'm a big fan of crafting prevention controls for all known adversary behavior across the intrusion kill chain. Unfortunately, most of us, vendors and practitioners alike, focus on the technical details of preventing malware and exploits and ransomware and not on defeating the actual adversary. The MITRE ATT&CK Evaluation program seems to be a step in the right direction. I asked Ganesh if he thought going through this exercise would change how his engineering team adds new features to his products in the future. 

Ganesh Pai: The set of things that we came up for detecting Carbanak and FIN7 during the evaluations are fairly generic. The detection for each of the tactics have been quoted in a way such that if they get reformulated ever to do a detection of another one, that - it's not going to be a whole lot of work for us. The engineering work and the three months that we put in is generic enough that it gives a return on investment for a long time to come. 

Rick Howard: I'm a fan of the MITRE ATT&CK Evaluation Program, and it sounds like Ganesh and Uptycs is, too. If you agree, it might be a good idea to encourage all of the vendors you have deployed in your own security stack to participate in the next one. You might even suggest that it will be a precondition before you renew the contract at the next iteration. 

Dave Bittner: That's the CyberWire's Rick Howard speaking with Ganesh Pai from Uptycs. 

Dave Bittner: And I'm pleased to be joined once again by David Dufour. He is the vice president of engineering and cybersecurity at Webroot. David, always great to have you back. 

David Dufour: Great to be here, David, as always. 

Dave Bittner: I wanted to touch on the recent hack we saw on Verkada and how that was kind of a wake-up call when it comes to folks' digital privacy. What thoughts do you have on that? 

David Dufour: You know, I'm not going to kind of call out Verkada because they're the ones - in this instance, they got caught with a - you know, an issue with a super admin password. But I got to tell you. I promise you there are a lot of organizations with the same problem. They just haven't been caught yet. So I'm not necessarily, you know, saying - obviously they did something wrong, but I'm not saying that they're the only ones, and we need to point a finger. This is really another touchpoint, a time where we all need to be aware of what's possible if someone's able to get into something and get - I mean, if you're not familiar, you know, they got access to 150,000 live cameras. And they were showing footage for different organizations to media and stuff like that. So it was a big deal, but we're all affected by this. 

Dave Bittner: Yeah. I mean, how do you come at something like a hardcoded credential? I mean, is that - you have folks out there hunting for that proactively? 

David Dufour: Yeah. You know, this - and, David, you know, a lot of the engineers who work for me would laugh at this comment, but I used to write code. And, really, what you've got to... 

Dave Bittner: (Laughter). 

David Dufour: Believe it or not. This really starts with the engineers. You have to have a good process in place because - that analyzes code that is ensuring you're not, you know, doing things like hard-coding passwords because when you're first bootstrapping something, trying to test something, you really just want to quickly get things up and running. But you got to have peer reviews. You've got to have code scans. So it really starts there and then goes out from there at different layers of ensuring that people are protected. 

Dave Bittner: Yeah, 'cause, I mean, isn't it accurate that a lot of times, those things get put in as part of the development process, again, for the convenience of the developers, but then once it goes into production, it should be pulled out and that doesn't always happen? 

David Dufour: That's exactly what the case is. And a lot of times, David, believe it or not, it's included for convenience in, like, raw source code SDKs. And they say change this once you get it up and running so that you're safe. And a lot of programmers don't take the time even, you know, when you're using that third-party tool. So you're exactly right. It's just a function of a lot of us want to get stuff working. And believe it or not, security sometimes takes a back seat to stuff, David. We've never seen that before, right? 

Dave Bittner: (Laughter) What are your thoughts for the folks downstream who found themselves victim of this, you know, your classic sort of third-party thing, where, you know, I've contracted with a company like Verkada, and because they weren't doing things 100%, now, you know, the footage of my factory floor is on the nightly news? 

David Dufour: That is the problem. And I - you put it in a nutshell. How do you verify? And, you know, just like in society, where we want to go to the grocery store, the pharmacist, you have to have trust at some level, and these things will happen. And then the question is, how do you recover from it? 

David Dufour: You know, you have to have processes in place that vet your third parties, and you're making sure that the tools you bring in are as secure as possible 'cause you can only do it as best as you can. And again, that looks - that's that whole process, depending on the size of your organization. Are you able to vet it? Can you - you know, what's your exposure if the stuff gets out? Look; if you have a factory floor and they're watching a guy drive a forklift, you're probably not worried too much about it. But if you have a - you know, a customized manufacturing process where one of these cameras is watching that and it's intellectual property, you probably want to make sure maybe you don't buy the cheapest available system out there. You need to make sure there's something that's been vetted and potentially certified that it is secure. 

Dave Bittner: Yeah, yeah. It's such a - it's sort of an object lesson in this whole thing of the supply chain and - you know, from supply chain issues to embedded passwords, there's something for everybody here. 

David Dufour: There absolutely is. And it goes back to we have to trust, but we can verify. And a lot of times, cost gets in the way of that verification process. And we just need to be aware of it. And this goes for consumers as well, David. I mean, people put stuff in their homes, and they connect it to their Wi-Fi, and they don't know what's going on. They don't know if it's calling home to some country where they'd freak out if it was. 

Dave Bittner: Yeah. 

David Dufour: You just have to spend more time understanding, and it's easy not to 'cause we all get busy. 

Dave Bittner: Yeah. All right. Well, David Dufour, thanks for joining us. 

David Dufour: Hey, great being here, David. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save your time and keep you informed. It's not just a job; it's an adventure. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.