The CyberWire Daily Podcast 5.21.21
Ep 1338 | 5.21.21

DarkSide still more-or-less dark. Updates on Colonial Pipeline and HSE ransomware attacks. CNA said to have paid $40 million in ransom. Cyber privateers and cyber mercenaries.


Dave Bittner: Hey, everybody. Dave here. I'm excited to let you know about yet another fascinating podcast coming to the CyberWire network. It's called 8th Layer Insights. Our good friend Perry Carpenter is the host and creator of this new show. You probably already know Perry as an influential author, security researcher and behavioral science enthusiast, and he's appeared on our shows many times over the years. On 8th Layer Insights, he'll delve into the complexities of human nature and how it influences security and risk. Topics include cybersecurity, psychology, behavioral science, communication, leadership and much more. The show is set to launch on Tuesday, May 25, but you can check out the trailer right now at and subscribe on your favorite podcast app. I've already subscribed. You're not going to want to miss this one. Thanks.

Dave Bittner: The U.S. remains officially mum on whether it took down DarkSide, but it still looks as if the ransomware gang absconded on its own. Colonial Pipeline now faces legal fallout from its ransomware incident. Speculation about how states might handle cyber privateering. Conti's attack on HSE is described as catastrophic. Russia says it was hit by foreign cyber mercenaries last year. Craig Williams from Cisco Talos explains Discord abuses. Our guest is Jon Ford from Mandiant on their M-Trends 2021 report. And CNA pays cyber extortionists $40 million. 

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 21, 2021. 

Dave Bittner: The U.S. is still officially mum on whether it took down DarkSide infrastructure, The Hill reports, but it still looks as if the U.S. did not do so. The anonymous officials who talked to The Washington Post earlier this week still have the last word for now. If DarkSide was clobbered by law enforcement, they didn't come from Washington, Langley or Fort Meade, say the anonymice. 

Dave Bittner: CIO Insight has a distillation of lessons organizations might learn from the Colonial Pipeline incident. Those lessons are organized under eight headings. They include phishing. Many, if not most, ransomware attacks find their way in through phishing attacks, and so a workforce prepared to recognize and defend against this form of social engineering is vital to resilience. Backups - you need to prepare, secure regular offline backups and check them often for signs of compromise. Air gaps - don't connect what doesn't need to be connected. Don't pay the ransom. This is a tougher call, but in general, it would be better for everyone if the financial incentive for ransomware gangs were driven down. Segmentation - make it difficult for ransomware to propagate across the enterprise. Zero-trust security - enforce proper validation and authorization. Digital transformation - by all means, modernize, but don't open fresh attack surfaces when formally manual systems and operations are automated or brought into the network. And last but not least, patches. Keep systems up to date. Far more attacks used known exploits than they do zero-days. 

Dave Bittner: CSO Insight also sees crisis as opportunity. Boards and C-suites are likely to be disposed to listen to advice, provide resources and to be unusually willing to invest in better security. 

Dave Bittner: Bloomberg Law reports that a proposed class action suit against Colonial Pipeline has been filed in the U.S. federal court for the Northern District of Georgia. Such actions have become practically routine for high-profile cyber incidents. The plaintiffs allege in part, quote, "as a result of the defendant's failure to properly secure the Colonial Pipeline's critical infrastructure, leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021, there have been catastrophic effects for consumers and other end-users of gasoline up and down the East Coast," end quote. 

Dave Bittner: MIT Technical Review speculates that Russia's toleration - at the very least - of ransomware operators has at this point gone too far and may force the U.S. toward retaliation against Moscow. Retired U.S. Admiral James Stavridis, a former Supreme Allied Commander Europe, writes that such retaliation might draw lessons from the history of privateering and the suppression of privacy, but that above all, it should be a cooperative action with allies. 

Dave Bittner: He writes, quote, "while there is no hard public evidence that the government of Russia is benefiting financially, multiple sources, including the U.S. Treasury Department, indicate that it is affording protection to hacking organizations that steal from and disrupt the West. If true, the rules appear simple. Don't attack any Russian or Russian-aligned nations. But otherwise, the cyber seas are open for hunting. Although it's uncertain if the Kremlin was involved, the ransomware attack on the East Coast pipeline system by Russian-based hackers known as DarkSide seems to fit this pattern," end quote. He advises more naming and shaming, sharing of evidence with allies and, where possible, seizure of the cyber privateers' assets. And he thinks retaliation against the Russian state might well be a justifiable step. Quote, "finally, if the U.S. has appropriate evidence to show Russian government collusion with cybercriminals, it needs to respond in kind at the national level. It could, for example, intrude on Russian government systems and alter or erase data in a way that would be proportional, perhaps reducing the Russians' ability to move natural gas to markets. Naturally, some U.S. capabilities should remain unused and in a war reserve mode, but more prosaic tools could certainly be deployed," end quote. If Russian official sources are to be believed, some such retaliation may have already taken place, but it would have been retaliation against earlier Russian operations, not the more recent ransomware or supply chain compromise incidents. TASS is still authorized to declare that in the SVR's view, the U.S. and the U.K. may well have been behind the SolarWinds compromise, but this opinion seems to have few takers, at least in the Five Eyes. 

Dave Bittner: There's a new report, however, this one described by the Record, in which Rostelecom-Solar, the cyber unit of telecom company Rostelecom, and the FSB's National Coordination Center for Computer Incidents describe a 2020 campaign against Russian cyberspace that they assess as the work of cyber mercenaries pursuing the interests of a foreign state. The effort is said to have involved social engineering, a protracted reconnaissance phase and introduction of malware specifically designed to evade detection or blocking by Kaspersky products. It's possible that there was such a campaign against Russian government targets. Russian sources don't identify the foreign government that may have hired and dispatched the mercenaries, but it could be any number of adversaries or competitors. The charges may also amount to a tu quoque response to U.S. attribution of the SolarWinds compromise to Russia. 

Dave Bittner: The BBC describes the ransomware attack on Ireland's HSE as catastrophic. BleepingComputer reports that the Conti gang has given HSE a free decryptor but still threatens to sell or publish stolen information if they're not paid. The affected organization is evaluating its decryption options. 

Dave Bittner: Finally, the $4 million-plus ransom Colonial Pipeline paid DarkSide seems big enough, but it's practically chickenfeed when compared to a payment Bloomberg reports CNA Financial made back in March. The Chicago-based insurance firm, seventh-largest commercial insurer in the U.S., is said to have paid $40 million to the gang that extorted it. Which gang got the money is unclear. The ransomware strain employed was PhoenixLocker, a variant of Hades, and Hades was developed by the Russian criminal threat actor Evil Corp. But CNA says it paid Phoenix. The distinction, if it can be maintained, isn't an idle one. Evil Corp is under U.S. sanction; Phoenix, formally, is not. 

Dave Bittner: Jon Ford is managing director of global government services and insider threat security solutions at Mandiant, and prior to that, he enjoyed a distinguished career with the FBI. He joins us with insights from Mandiant's 2021 M-Trends report, a view from the front lines. 

Dave Bittner: Well, let's dig into our main topic of discussion today, which is this most recent Mandiant M-Trends report. This is the 2021 report. Before we dig in here, I mean, this report has quite a pedigree, going back over a decade now. 

Jon Ford: Yes, it does. It is one of the signature reports that we put out each year and really start showing the trends of how, you know, what types of activity has really been taken over the years. And also I think what's more interesting for us - I mean, it talks about the Bauer families, the types of malicious activities that are occurring. But what I think is even more interesting is where it shows - dwell time is very important to us because it really shows that time of where there be detection has really been lowering year over year. And we're getting better and better at detecting those incidents. And I'm not just talking about just we as Mandiant, but I'm talking about we as in companies and governments. They're getting much better at detecting these much quicker. 

Dave Bittner: It's remarkable this ongoing and, I suppose, continuing trend of the professionalization of these organizations. They keep - it seems like year after year, in many ways, they're upping their game. 

Jon Ford: They are upping their game. And it's not just a closed organization, as most would think, you know. It's not just a group of people in, you know, a room somewhere doing this. It's very disparate. And they've actually made their business efficiencies as well. So they have groups that only design the ransomware. They have the groups that are only doing the targeting. They have the groups that only get into the systems and exfil the data. And they have other groups that are managing the data and handling the extortion. And that - from that perspective, yes, they have professionalized that - their ability to become very efficient at what they're doing but also target in a much more precise way to get the most money. These criminals try to get the most money that they can, quite frankly. 

Dave Bittner: Well, I mean, let's go through some of the other details in the report. What are some of the things that stand out to you? 

Jon Ford: From a malware perspective, what we're discovering when we're doing our incident response is that the majority of those have not been seen before, right? So, you know, that becomes a very interesting point for us because that's one of the key detectors that most organizations look, right? You know, how can I block known malware, malware that's out there, based upon whatever indicators those organizations use? But we're seeing more and more custom malware that's out there that is much harder to detect. And so when we're doing our incident responses, we're seeing that the majority is not been seen before. And so for us, that makes it - you know, we're starting to have to detect based upon behaviors as opposed to detect based upon signature. 

Dave Bittner: And I suppose - I mean, we have to mention that, of course, as everybody knows, 2020 was not your typical year. Thanks to COVID-19, a lot of things shifted around. 

Jon Ford: They did. They did. And one of the things that we first saw start moving around, too, was also insider threats. When the work from home began in 2020 for us and they started seeing more people going home, also people started reacting to what will the economy be tomorrow, right? And what does this mean? We started seeing layoffs occur. And from - when we started seeing those occur as well, then that became a challenge for organizations. And one of the - you know, the first series that we started seeing of attacks were, when layoffs occur, that there were still backdoors that were left by the employees in the organizations, and they were destroying their data that would make the company profitable and destroying their backups. And so that was one of the first things that we started to see. 

Dave Bittner: Mmm hmm. Did you see any interesting trends or movements when it comes to the particular industries that were being targeted here? Have they shifted who they're going after? 

Jon Ford: So from an insider perspective, we did see that - one of the biggest things that started happening was there was an accelerated opportunity for research around COVID, right? How can - who could come to market with the COVID vaccine? Right after that is what we saw a shift in, where it started becoming much more an espionage perspective. There were still many businesses that were going to continue moving forward, and their research was key. And we started seeing, from an espionage perspective, those from outside. There were nation-state actors that were starting to recruit and seeing who they could recruit inside of these organizations, either individually or through the Thousand Talents program or other talents programs that are done by the countries, to identify individuals who could bring that information to them so they could be first to market and essentially try to reduce that development curve - right? - on the research and development side and try to have something they could go to market faster with. 

Dave Bittner: That's Jon Ford from Mandiant. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Craig Williams. He's the director of Talos outreach at Cisco. Craig, always great to have you back. Over on the Talos blog, you guys posted some interesting research here. It's titled "Cheating the cheater: How adversaries are using backdoored video game cheat engines and modding tools." What's going on here, Craig? 

Craig Williams: Well, you know, after work, sometimes I like to continue conducting my research by playing video games with... 

Dave Bittner: (Laughter). 

Craig Williams: ...People who work for me and other management within Talos. You know, Call of Duty is a big one, Rainbow Six Siege, fun games like that. 

Dave Bittner: Uh-huh. 

Craig Williams: So as part of our research (laughter)... 

Dave Bittner: Uh-huh. Right. That's... 

Craig Williams: If we call it that, can I expense the software under the rules? (Laughter). 

Dave Bittner: Well, I was going to say, that's what you tell your bosses anyway, right? 

Craig Williams: Oh, they play, you know? But so, you know, seriously, though, video games are played by everyone, right? They're played... 

Dave Bittner: Yeah. 

Craig Williams: ...By people in the security space. They're played by executives in the security space. They're played by just about everyone now. These aren't for teenagers, although teenagers do play. Children play. 

Dave Bittner: Yeah. 

Craig Williams: So video games have become as ubiquitous as TV 10 or 15 years ago. And I think it's important to realize that when you're talking about video games now, you're talking about, like, the new form of medium. Like, it's as popular as the newspaper when our parents were kids. 

Dave Bittner: Right. 

Craig Williams: And so because of that - right? - if you can have an advantage in a video game, it makes it a lot more fun to most people, right? 

Dave Bittner: (Laughter). 

Craig Williams: Or at least a huge percentage. 

Dave Bittner: So are we using the euphemistic word advantage there, Craig? 

Craig Williams: (Laughter). 

Dave Bittner: Does that mean - what advantages of which you speak, my friend? 

Craig Williams: I did air quotes. I promise. 

Dave Bittner: (Laughter) OK. 

Craig Williams: But so what happens here is people will use the allure of cheating to draw people into making poor security choices. It's no different than people who, you know, send out, you know, get-rich-quick scams and similar to, you know, the Nigerian prince email. It's just a little bit more of attractive package targeting a little bit of smarter user. 

Dave Bittner: Mmm hmm. 

Craig Williams: So what they'll do is they'll send out cheats with different, you know, lures saying, hey, favorite video game of the week, if you'd like to have an aimbot and never miss again, download this attachment. Or if you would like to have infinite gold, download this attachment. And so obviously, for most users, they'll see that right away and think that's not true. But where it gets a little bit more complicated is either users who don't care or what if the tool is real, it's just also been, you know, modified to include a piece of malware? 

Dave Bittner: Right. Right. So what are you seeing here? What are some of the specific cases? 

Craig Williams: Well, in the blog we put out on the Talos Intelligence blog, we've got some modding tools with how-to videos and other sorts of social lures, and we've got some cheats. The example we go through in the specific blog is a Visual Basic obfuscated loader. It's really an interesting thing to reverse. We go through all the different steps in the blog post and kind of walk people through how complicated and how obfuscated this is. And the reason I mention that is because it's a great example of how complex this scene has become, right? It's no longer little lazy exploits. Now we're seeing time and effort put into making these evasive and making them more convincing and making them hard to analyze and hard to unpack. 

Craig Williams: And again, you know, the reason they do this is to trick security analysis tools - right? - to prevent analysis, to make it more difficult to figure out what the software is actually doing. And so, you know, to that end, in the blog post, we walked folks through the entire sample in painstaking detail. Holger was nice enough to take screenshots of just about every step to show people exactly what these modding tools are doing and how the malware is getting its hooks into their system. 

Dave Bittner: Hmm. So, I mean, other than the obvious lesson that, you know, cheaters never win and you shouldn't cheat at games, it's just a bad - you know, you're a bad person if you do that (laughter). But, you know, the security thing is obvious here, that, as you say, they're taking advantage of people's desire to get something for nothing, and you might end up with more than you bargained for. 

Craig Williams: Well, exactly. And I think there is a massive number of people in the computer security community who got into computer security learning to cheat at video games and learning to mod video games, right? It's a natural stepping stone to understanding how the games work, how things work, which leads people right into computer security. So it's kind of ironic. I think this type of lure is incredibly attractive to people interested in computer security. So it's kind of funny, right? It's a lure that works on a lot of people, but it also probably attracts the people the actors don't want (laughter). 

Dave Bittner: Well, yeah, but isn't that interesting? Because on the one side, you're right. I could see there being a comfort level that, you know, this is something I'm familiar with. This feels like home. You know, this is how - this takes me back. And so how - because also I think in the old days, a lot of these things were passed around in the days before there was malware. And, you know, people weren't thinking about that kind of thing. They weren't thinking to do that kind of thing. So there may be a false sense of security for some of the old-timers when it comes to that, even if it's subconscious. But then I think your point's a good one, that if you're a bad guy, the last group you want to attract are security professionals, right? 

Craig Williams: Well, and I think that's why they went through pretty great lengths to make sure that the code was obfuscated and hard to analyze. 

Dave Bittner: Mmm hmm. But I think the other point that's well made here is that, as you sort of said at the outset, that there are people from all walks of life playing these games. So it's not like these are just, you know, script kiddies going after kids and their pocket change. There are some pretty big targets out there that make this worth their time. 

Craig Williams: Absolutely. And that's why we wanted to make sure and remind everyone, anyone associated with our blog, that you should never download cheats or game mods gently. You should always give them the proper inspection. Make sure they're from a trusted source. Point your security software at it and let them scan it, and make sure that they can process the files. You know, I wouldn't even run video games, period, on my important systems. You should have a system for gaming. 

Dave Bittner: Well, it's a fascinating blog post. And for those of you out there who are, you know, sort of learning how to do a lot of this stuff, it's a great step by step that really takes you through the process that you and your team went through to sort of reverse this and figure out what was going on. So there's lots - there's something for everyone here, so I encourage you to check it out. It's over on the Talos Intelligence blog. Craig Williams, thanks for joining us. 

Craig Williams: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.