The CyberWire Daily Podcast 5.25.21
Ep 1340 | 5.25.21

CryptoCore traced to Pyongyang. Ransomware and risk management. Gangs regroup. A would-be hacker-by-bribery is sentenced in Nevada.


Dave Bittner: The CryptoCore campaign that looted cryptocurrency exchanges is said to have been the work of North Korea's Lazarus Group. Insurers are taking a hard look at ransomware and the cyber insurance policies that might cover it. Managing ransomware risk and a role for standards bodies - can there be such a thing as responsible disclosure of decryptors and other remediation tools? Ransomware gangs regroup. Perry Carpenter previews the new "8th Layer Insights" podcast. Rick Howard speaks with authors Doug Barth and Evan Gilman. And it's time served plus deportation in the case of an unsuccessful hacker.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 25, 2021. 

Dave Bittner: ClearSky yesterday reported its conclusions that the CryptoCore campaign - which hit alt-coin exchanges in Japan, Israel, Europe and the U.S. - was run by North Korea's Lazarus Group, known for state-directed financial crime. 

Dave Bittner: The CryptoCore operation began in 2018 and is thought to have been responsible for at least five attacks on cryptocurrency exchanges. The campaign's total take over its career is believed to have been somewhere north of $200 million. When CryptoCore first surfaced, it was attributed to a criminal gang thought to be operating from Eastern Europe or perhaps Russia. But F-Secure published some evidence suggestive of a Pyongyang connection, and ClearSky has taken a deeper look and now attributes the campaign, with medium to high confidence, to the DPRK's Lazarus Group. 

Dave Bittner: CryptoCore has gone by more than one name. ClearSky lists three others - CryptoMimic, Dangerous Password and - our favorite around the office - Leery Turtle. Whatever the name, it's the same unwelcome product. 

Dave Bittner: Dark Reading says that insurance firms are growing increasingly skittish about underwriting the risk of ransomware and seem to be moving away from providing the sort of coverage that might encourage or permit ransomware payments. BankInfoSecurity points to trending evidence that suggests both more limited coverage and higher premiums. 

Dave Bittner: The underwriters aren't, as far as anyone can tell, misreading the risk. Ransomware attacks continue, with audio system manufacturer Bose disclosing to authorities that it had suffered an incident it first detected in March. The Record says the company's statements haven't indicated whether it paid the ransom. 

Dave Bittner: Recovery has sometimes proven protracted, even after an attack has been detected and contained. The San Diego Union-Tribune reports that Scripps Health, which was hit on May 1, is still in the process of remediation but hopes to be back to normal operations by the end of the week. 

Dave Bittner: And the city of Tulsa, Oklahoma, which on May 10 disclosed the attack it sustained, preventively shut down many city systems to contain the infestation and prevent data loss. They also hope, according to SecurityWeek, to have recovered by week's end. 

Dave Bittner: Colonial Pipeline's experience with DarkSide ransomware has other sectors looking at their own defenses. FreightWaves sees a similar attack against the trucking industry as likely but also preventable. 

Dave Bittner: What, then, should infrastructure operators consider in the way of risk assessment going forward? Vikas Bhatia, CEO and co-founder of JustProtect, wrote us to point out that one of the lessons to be drawn from Colonial Pipeline's experience is that regular risk assessments should focus on an organization's specific vulnerabilities and the compliance regime it operates under. 

Dave Bittner: Quote, "organizations such as the North American Electricity Council, NERC; the National Institute of Standards and Technology, NIST; the American Petroleum Institute, API, provide standards that critical infrastructure providers and their customers can use to assess the organization's ability to manage the threat end to end. Critical infrastructure and regulated organizations should evaluate how often and to what detail internal or third-party assessments are performed. Rarely do organizations assess the risks of the threat landscape in as much detail or at the frequency required to identify or manage the risks," end quote. 

Dave Bittner: So aim at increased and timely visibility, and take advantage of the resources government, industry and standards bodies can provide. 

Dave Bittner: Many standards organizations are private as opposed to governmental, but their work can be and often is widely adopted. Governments certainly establish important regulatory regimes, but it's worth noting the role that the private sector has historically played in this regard. The insurance industry in particular has had a lot to do with establishing standards. Had the actuaries and underwriters not gotten involved with fire prevention and personal safety, to take one example, it's unlikely that fire safety codes, in the U.S. at least, would have evolved as they have. 

Dave Bittner: MIT Technology Review early this week complained about the way in which security firms who provide free decryptors make their tools publicly available and particularly excoriated Bitdefender's release of a DarkSide decryptor earlier this year, saying that the gang benefited from the announcement to fix issues in their code. 

Dave Bittner: As we pointed out yesterday, that seems strong. After all, a gang might realize that something was wrong when its victims appeared able to return to normal without paying for decryption. And while a free decryptor might well make it easier for a gang to find and fix problems with their malware, The Washington Post reports that Bitdefender has said, with arguable justice, that publishing a decryptor enabled them to help a lot more victims a lot faster than a more discreet, more selective disclosure would have permitted. 

Dave Bittner: The Wall Street Journal observes that ransomware gangs appear to be scuttling away from recent light on their activities - scrutiny and scorn, as the Journal puts it. But they've remained active and probably are simply regrouping, not exiting, still less reforming. It's a kind of unenlightened, coarse self-interest. If the gangs hit a target that attracts a lot of attention from the police, that's no good. 

Dave Bittner: It's not the reputational risk that concerns them, but rather tugging on Superman's cape, tickling the sleeping dragons of law enforcement. It would be unwise to accept the avowals of the likes of the DarkSide when they say they're determined to avoid social damage. That's what they say when they're caught clobbering a hospital or doing something else that will really motivate the authorities to bring the hammer down. So this is a temporary pause at best, and the gangs are unlikely to cease and desist this side of the slammer. 

Dave Bittner: And finally, remember that guy who copped a plea in Nevada to federal charges related to his unsuccessful attempts to bribe a Tesla employee with half a million bucks to install malware on Mr. Musk's battery factory's computers? The AP reports that yesterday, U.S. District Judge Miranda Du passed sentence on him. She gave Egor Igorevich Kriuchkov 10 months. Since he's already been in custody for nine months and that detention counts, the sentence amounts to time served. He'll be deported back to Russia soon. Judge Du said she took into account both Mr. Kriuchkov's plea agreement with the U.S. attorney and the fact that, after all, his attempt to hack the Reno-area battery plant failed. The attack was supposed to be a two-stage attack - denial of service as misdirection for the second stage, installation of malware designed to exfiltrate sensitive information. 

Dave Bittner: "I'm sorry for my decision. I regret it," Mr. Kriuchkov said, adding that his time at Club Fed had given him an opportunity to reflect on the damage he'd done to his reputation and the pain he'd caused his family. It's worth noting that U.S. authorities have not alleged the Russian government had anything to do with Mr. Kriuchkov's crime. He seems to have been just a crook on the lookout for the main chance. Happy trails. 

Dave Bittner: Throughout this week, we're featuring Rick Howard's exclusive interviews with renowned authors of cybersecurity books - books so good they've been inducted into the Cybersecurity Canon. Here's Rick. 

Rick Howard: It's Cybersecurity Canon Week here at the CyberWire. And unofficially, all the CyberWire staff members are referring to this week as Shark Week for cybersecurity books because the Cybersecurity Canon project has announced the author selectees for the Hall of Fame awards for 2021, and I'm interviewing all the winning authors. Each day this week you will get a taste of the winning author interviews here in this daily podcast segment, but you can listen to the entire long-form interviews as special episodes in my "CSO Perspectives" podcast only available to the CyberWire Pro subscribers. 

Rick Howard: Today's interview is with Doug Barth and Evan Gilman, the authors of "Zero Trust Networks: Building Secure Systems in Untrusted Networks." I started out by asking Doug, why did he feel compelled to write this book? 

Evan Gilman: I guess I'll start since I'm the troublemaker that incited all this crazy stuff. It was actually after a conference talk I gave wherein one of the questions at the end was, where can I go to read more about this? And I was like, well, I don't know (laughter). I don't think there's anything out there, really. It's - I mean, I've looked. I haven't found anything. Come talk to me afterwards. 

Evan Gilman: And I felt passionate about the topic, and I felt that, you know, it was important and that nobody else was talking about it. You know, people should at least be considering it. A lot of people had written about these types of problems, but nobody had really written about them all being kind of related to each other in this bigger picture, zero trust type thing. There was some prior art, but it wasn't, like, super-duper cohesive. And certainly, it wasn't laid out like, OK, if I wanted to do this exactly, what are the things I should be thinking about, and how could I accomplish it? 

Rick Howard: I asked Doug about how Evan convinced him to join this book-writing journey. 

Doug Barth: I think my exact comment to him was, oh, the book people came by your talk. I understand. 

Rick Howard: (Laughter). 

Doug Barth: I like working with Evan. Evan's super smart. Like he mentioned, we had only scratched the surface of the topic because we were building for a startup's needs and, like, solving problems as they came to us. 

Doug Barth: I thought it would be interesting to continue the thought exercise of, well, if we're going to build systems here under this assumption that our networks are untrustworthy, how would we continue to design and iterate on that architecture? That was - what? - basically the - what? - year and a half that we spent, like, researching... 

Evan Gilman: Yeah. 

Doug Barth: ...And digging into it... 

Evan Gilman: Yeah. 

Doug Barth: ...Just trying to, like, figure out what would our answer be if we had to deal with this problem, what would our answer be if we had to deal with that problem, and trying to educate ourselves on what the broader industry was thinking here, so we weren't just, like, making it up in a vacuum. 

Rick Howard: The book is called "Zero Trust Networks: Building Secure Systems in Untrusted Networks." The authors are Doug Barth and Evan Gilman, and they are the newest additions to the Cybersecurity Canon Hall of Fame. 

Rick Howard: And if you are interested in the collection of Cybersecurity Canon Hall of Fame books, plus all the candidate books and even the best novels with a cybersecurity theme, check out the Cybersecurity Canon website, sponsored by Ohio State University, at - all one word and with one N for canon of literature, not two Ns for machines that blow things up. And if that's all too hard, go to your preferred search engine and type Cybersecurity Canon and Ohio State University. 

Rick Howard: And congratulations to Doug Barth and Evan Gilman for their induction into the Cybersecurity Canon Hall of Fame. 

Dave Bittner: And joining me today is Perry Carpenter. I've spoken to him many times before as the chief evangelist and strategy officer at KnowBe4. He's also a well-known published author. But today, Perry, we are talking about something different. You have a new podcast coming out. 

Perry Carpenter: Yeah, I do. It's called "8th Layer Insights." And it's really all about the psychology and the behavior behind why we think the things that we think and why we do the things that we do. And I try to relate that to security, but I also broaden it out into the general areas of life as well. 

Dave Bittner: What prompted you to dip your toe into the podcasting forum here? 

Perry Carpenter: Yeah, that's a great question. It really came about by loving some really great podcasts out there like "Freakonomics" and "Radiolab" and "Planet Money" and others - those narrative, nonfiction style. And there's not been a lot of representation of that in the cybersecurity field yet. 

Perry Carpenter: I think that there have been a few really good examples like that, but catering to a slightly different audience. Something like the "Darknet Diaries" podcast, I think, is a standout. McAfee's "Hackable?" podcast that's been discontinued recently is another standout. But they're really still even catering to a slightly different audience than what I was hoping for. And really just because it didn't emerge on its own, I tried to go ahead and create the thing that I was looking for and then see where it goes. 

Dave Bittner: And who is the audience that you're targeting here? 

Perry Carpenter: It's - primarily, I'd say that the core set is cybersecurity professionals that are interested in influencing behavior - so CISOs, security managers and security practitioners that are trying to help people make better decisions. 

Perry Carpenter: But then also because any study on human psychology and human behavior is a study about ourselves, I'm trying to keep this general enough that it can also have a fuzzy edge to where if you're interested in it, this is something that you could share with your family and they would enjoy hopefully just as much. 

Dave Bittner: You know, it strikes me that one of the things that we fall into in cybersecurity is - by its nature, the technical nature of it, the ones and zeros, you know, we fall into a bit of absolutes. And that means that sometimes that human side gets underemphasized or undervalued. It's interesting to me that part of what you're doing here is shining a light on the importance of that side of things. 

Perry Carpenter: Yeah, absolutely. One of the things that comes out when you study the data about our industry, the cybersecurity industry, is that we have an overfixation on the technology side of things. And so we talk about - you know, if you're in the security field, you've heard of this thing called the OSI security model that talks about seven different layers of security, starting at the data and ending at the application. And that's what we really focus on the security pieces for, is building that technical defense across those seven layers. 

Perry Carpenter: But when we look at the breaches and a lot of the hacks out there, they're focusing not necessarily on those seven layers, but they're using an eighth layer to get in. And so I really want to bring a spotlight to this human side of things because it has been underemphasized for decades. And luckily, we are now starting to see more of an understanding of the fact that this human piece will never go away, that the technology piece will never be 100% effective and that to underemphasize the human is to be not as effective in our security and risk management as we could be. 

Dave Bittner: Can you give us a preview of what we might expect to hear in the first episode? 

Perry Carpenter: Yeah, there's - the first episode really comes out of my book "Transformational Security Awareness," where I talk about this concept of Trojan horses for the mind, so the idea that there are messages and there's information that we want to get to people, but we're in a very noisy world. The signal-to-noise ratio does not favor us as security practitioners trying to get information to people. And so what we need is a Trojan horse. And this gets into the use of emotion, sound, visuals and then words and story in order to contain that message, move past a lot of our mental defenses and then embed that message within somebody's mind. 

Perry Carpenter: And then over the course of the series, we're going to be tackling a lot of other even non-security-awareness-related things like disinformation, conspiracy theories, behavior change and behavior design, psychology, social engineering and so on. 

Dave Bittner: You've got an impressive list of guests lined up for this show. Who are we going to hear from? 

Perry Carpenter: There are too many to list in a format like this. But needless to say, since I'm taking that narrative nonfiction type of route, within one episode, you're going to hear multiple voices - the vast majority of the time. So I don't want to box myself in too much, but the vast majority of time, you'll hear two or three different experts per episode. 

Perry Carpenter: And we've - episodes that are already in the bag, we've got folks like Bruce Schneier, Chris Hadnagy. We've got Kevin Mitnick lined up, Rachel Tobac, BJ Fogg, Matt Wallaert - so BJ and Matt are both behavior scientists that are fairly well known - and many, many more. And so that's really the - kind of the gist here is that we want to start with security and then move increasingly outward into all these other professions and disciplines that should be listened to by our industry. 

Dave Bittner: Well, I've had the pleasure of listening to a preview of the first episode, and I have to say I enjoyed it very much, highly recommend it. The title of the show is "8th Layer Insights." It is part of the CyberWire podcast network. You can find it on our website and also wherever you get your podcasts. 

Dave Bittner: Perry Carpenter, thanks so much for joining us. 

Perry Carpenter: Yeah. Thank you so much for having me. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.