The CyberWire Daily Podcast 5.26.21
Ep 1341 | 5.26.21

Cybersespionage reported in Belgium. Low-sophistication attacks on OT networks. Healthcare ransomware attacks. Privateering defined. Advice for boards. And news of crime.


Dave Bittner: Hafnium visits Belgium. Low-sophistication attacks on operational technology. Updates on health care sector ransomware attacks in New Zealand and Ireland. Wipers masquerading as ransomware. Privateers are defined as a new category of threat actor. TSA's new standards for pipeline security. The World Economic Forum has advice for boards in the oil and gas sector. Rick Howard interviews Liza Mundy on her book, "Code Girls: The Untold Story of the American Women Codebreakers Who Helped Win World War II" (ph). Joe Carrigan describes fraudulent search engine ad buys. And as one criminal is sentenced, eight more are arrested.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 26, 2021. 

Dave Bittner: It's not all ransomware all the time, although it can certainly seem that way. Sometimes it's espionage. Reports out of Belgium say that the country's Federal Home Affairs Ministry came under attack as far back as April of 2019. The apparent goal, The Brussels Times says, was information theft in the service of espionage. The incident is under investigation, but sources connect it with Hafnium, the Chinese threat actor believed to have exploited Microsoft Exchange Server vulnerabilities. 

Dave Bittner: Ransomware and other cyberattack tools have for some time been undergoing commodification, being traded in criminal markets or offered through affiliate programs to operators who themselves lack the skills necessary to write effective code. 

Dave Bittner: The same process may now be underway with respect to the compromise of operational technology, FireEye's Mandiant unit concludes. The researchers call these low-sophistication incidents, and while they don't usually have immediate physical effects, they can still disrupt industrial processes that interact with business systems in particular. They also express concern that low-sophistication attacks contribute to a normalization of attacks against OT networks. 

Dave Bittner: Reuters reports that the group claiming responsibility for the cyberattack against the Waikato District Health Board has begun releasing what seems to be private patient information. Authorities in New Zealand have been relatively tight-lipped about the incident, but it's widely taken to have been a ransomware attack. RNZ says the government has stated that it won't pay the ransom and that the National Privacy Commissioner has directed all district health boards to address the vulnerabilities the attackers exploited against the Waikato DHB. 

Dave Bittner: In the other big ongoing ransomware attack against a health care organization, The Irish Times reports that Ireland's HSE is happy with the decryptor it's obtained and that some suspended services will resume by tomorrow, although full recovery remains some weeks away. 

Dave Bittner: Ransomware has also been used as cover for attacks whose motive is disruptive or destructive, not financial. The NotPetya attacks of 2017 are a good example of this particular form of misdirection. 

Dave Bittner: SentinelLabs is tracking the evolution of Agrius, an Iranian threat group active against Israeli targets since last year, whose tools began as wipers disguised as ransomware. In some respects, it's now apparently come full circle. One of its wipers, Apostle, has recently evolved into what it was pretending to be - fully functional ransomware deployed against targets in the United Arab Emirates. That said, as ZDNet points out, the point of the operation still seems to be disruption of regional rivals as opposed to simple financial gain. 

Dave Bittner: Speculation has placed the relationship between the DarkSide ransomware operators and the Russian government on a spectrum that runs from inattention through incompetence to corruption and on through toleration, permission and encouragement all the way to direction. The reality probably lies somewhere in the middle in the toleration-to-encouragement range. There's a convergence of interests. Russia sees a rival embarrassed and inconvenienced, and the gang gets a payoff - in this case, a bit more than $4 million. 

Dave Bittner: With this incident in mind, Cisco's Talos group has introduced a new threat category in recognition of what appears to be an emerging trend. They call the threat actors privateers and describe them as actors who benefit either from government decisions to turn a blind eye toward their activities or from more material support, but where the government doesn't necessarily exert direct control over their actions. Talos is a bit starchy about the government role in all of this, saying that the distancing in itself does not diminish the responsibility these governments share with these groups. The researchers also distinguish privateers from mercenaries, operators whom a government hires for specific purposes. 

Dave Bittner: The U.S. Transportation Security Administration is issuing new standards for pipeline security this week. Prompted by the Colonial Pipeline ransomware attack, the new regulations will, according to The Wall Street Journal, have teeth for enforcement. Earlier standards were guidelines that relied upon voluntary compliance. In this respect, the new system will resemble regulations under which the electrical power industry currently operates. One of the central requirements of the new regulations is expected to be stronger reporting. 

Dave Bittner: Voluntary standards aren't being ignored either. The World Economic Forum has published a white paper - "Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers" - that offers sector executives guidelines for handling threats like the one that disrupted Colonial Pipeline. The white paper was prepared with significant input from security companies. 

Dave Bittner: The white paper advances 10 principles for boards in particular. They include responsibility for cyber-resilience, command of the subject, an accountable officer, integration of cyber-resilience, risk appetite, risk assessment and reporting, resilience plans, community, review and effectiveness. The report also offers advice on implementation. You can find the details on their website. 

Dave Bittner: And finally, two notes on ordinary cybercrime. The Record reports that Kirill Firsov, 30 years young and formerly proprietor of the now-defunct carding forum, was sentenced to 2 1/2 years by a U.S. federal court in California. Mr. Firsov took a guilty plea to one charge of unauthorized solicitation of access devices. 

Dave Bittner: And Naked Security has the news that Britain's Dedicated Card and Payment Crime Unit has collared eight suspects in a home delivery scam, one in which the phishbait is a notice that appears to be from a trusted courier service like the Royal Mail asking for help in making a delivery. The phish hook is a link that takes the victims to a page where they're invited to make a very small payment - pennies, really. But, of course, that payment is not the goal. What the scammers are after is the victims' pay card details. What follows is easily imagined. Should the suspects be convicted, we trust they'll be detained at Her Majesty's pleasure. 

Dave Bittner: My colleague Rick Howard continues this week's series of interviews with authors of well-known cybersecurity books. Here's Rick with the latest. 

Rick Howard: It's Cybersecurity Canon Week here at the CyberWire. And unofficially, all of the CyberWire staff members are referring to this week as a Shark Week for cybersecurity books because the Cybersecurity Canon Project has announced the author selectees for the Hall of Fame awards in 2021. And I'm interviewing all the winning authors. Each day this week, you will get a taste of the winning author interviews here in this daily podcast segment, but you can listen to the entire long-form interviews as special episodes in my "CSO Perspectives" podcast, only available to the CyberWire Pro subscribers. 

Rick Howard: Today's interview is with Liza Mundy, the author of "Code Girls: The Untold Story of the American Women Codebreakers Who Helped Win World War II" (ph). 

Rick Howard: I've been a fanboy to the code-breaking efforts at Bletchley Park during World War II for many years now. Alan Turing is a personal computer science hero of mine, and I first heard about his Enigma-busting exploits against German codes in my favorite hacker novel of all time, "Cryptonomicon," written by the Cybersecurity Canon lifetime achievement winner Neal Stephenson. I always knew that there were like-minded efforts going on in the Pacific theater. I had heard rumors of the Americans breaking various codes, like the team working for William Friedman solving the Japanese Purple code and the efforts of Joe Rochefort breaking the JN-25 code that led to the victory at the Battle of Midway, but I never stumbled upon any books that told the complete story. Well, now I have. 

Rick Howard: "Code Girls" by Liza Mundy is a treasure. When I got Liza to the CyberWire Hash Table, I asked her about what compelled her to write this book. 

Liza Mundy: Once I learned about the story of 10,000 women being recruited to come to Washington during World War II, many of them former schoolteachers and/or college seniors, I couldn't resist telling the story. I couldn't believe that the story hadn't already been told in the many books that existed on World War II code-breaking. 

Rick Howard: The remarkable characteristic about the "Code Girls" story is that despite the heroic efforts of Friedman and Rochefort, the day-to-day work of deciphering Japanese and other nations' codes during World War II was largely done by American women, civilians at first and then in collaboration with the newly formed WAVES, or Women Accepted for Volunteer Emergency Service in the United States Naval Reserve, and the WAAC, the Women's Army Auxiliary Corps, that both came into service in 1942. While military and civilian men mostly got the credit, it was these remarkable women who ran the show, and their efforts were so secretive that many of these women went to their grave without telling their loved ones what they did during the war. Family and friends thought that the code girls simply performed administrative work. 

Rick Howard: In the book, Liza is able to tell the stories of some 20-plus women - what they did with their code-breaking efforts and how they lived their lives during the war. I asked Liza about the decision made by military leaders to inject 10,000 women into the code-breaking war effort. In other words, what was the catalyst? 

Liza Mundy: Well, obviously, Pearl Harbor was a terrible surprise to the United States. It was the event that launched us into the - into World War II, and it was also a massive intelligence failure. And at the very same moment that we were sending tens and ultimately hundreds of thousands of young men out to fight in all corners of the world, crossing these major oceans, we knew how inadequate our intelligence-gathering abilities were. And we had to ramp up our signals intelligence really overnight in order to make sure that another Pearl Harbor didn't occur. 

Liza Mundy: And before the war, it would've been young men who were recruited to do this work, but they were suddenly unavailable. And so when I was doing my research for the book, I found a document in which you could see the light-bulb moment going on above a naval official's head. It read - it was the recruiting document for the Navy's code-breaking service, and it read, new source - women's colleges. And so for the first time in American history, educated women and bright women were allowed to show what they could do. 

Rick Howard: I want to give a full-throated endorsement for this book. It opens up a history into World War II that I didn't know about before. And it makes the case that women don't have to break into the cybersecurity industry; they have been here from the very beginning. The book is called "Code Girls: The Untold Story of the American Women Code Breakers Who Helped Win World War II" (ph). The author is Liza Mundy, and she is the newest author addition to the Cybersecurity Canon Hall of Fame. 

Rick Howard: And if you are interested in the collection of Cybersecurity Canon Hall of Fame books, plus all the candidate books and even the best novels with a cybersecurity theme, check out the Cybersecurity Canon website, sponsored by Ohio State University, at - all one word and with one N for canon of literature, not two N's for machines that blow things up. And if that's all too hard, go to your preferred search engine and type Cybersecurity Cannon and Ohio State University. And congratulations to Liza for her induction into the Cybersecurity Canon Hall of Fame. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article - this is from the folks over at The Record by Recorded Future. And they're sharing some information they got from the FBI about some folks trying to spoof some banks here. What's going on here, Joe? 

Joe Carrigan: It is an FBI - what they call a PIN alert, a private industry notification. I don't like the overloading of acronyms, Dave... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...But it's called a PIN alert. And it is - unfortunately, The Record actually can't share the entire alert because of sharing restrictions from the FBI. But they've been notified, and they are talking about some of the things that are going on in here. 

Joe Carrigan: And what we're seeing is something you and I have talked about for about the past year. This is something that's relatively new in social engineering attacks - is search engines that sell ads are selling ads to malicious actors who are linking to look-alike sites for financial institutions. So if - let's say you have an account with Bank of America, for example, and you go to Google, and you type in Bank of America - because that's what we do, right? We don't actually go to our web browser and type in We go to Google and type in Bank of America, and Google gives us the link. 

Dave Bittner: Yeah. 

Joe Carrigan: But at the same point in time, they also give ads, and people are buying ads that then link to a phishing page. And I'm actually seeing this a lot. It's - when I'm searching for something - this has happened to me. I'm a customer of Comcast, and when I call - or when I Google Comcast customer support, the first link is not Comcast customer support. It's an ad to something else, trying to sell me, like, internet services or something. 

Dave Bittner: Right, right. 

Joe Carrigan: And the second link, the actual first search result, is Comcast customer support. But the first thing I see is an ad. And... 

Dave Bittner: Yeah. 

Joe Carrigan: ...These ads are particularly malicious. And they're doing - the FBI says that they're doing two things. One, they're actually purchasing the ads and, two, they're using search engine optimization on fake sites. So they're not even - they're just letting these search results bubble up to the - to near the top of the search page to see if they can get people to click on them basically for free, right? 

Dave Bittner: Right. 

Joe Carrigan: So they don't have to buy the ads. 

Dave Bittner: Yeah. 

Joe Carrigan: In both versions of these schemes, the spoofed portal prompts the customers to enter a bunch of information - first off, their account credentials, their telephone number and then their security questions. And then these actions, of course, fail to grant access. At that point in time, the account holder, the victim here, would get a phone call from the malicious actor here, who falsely claims to represent this institution that they've been trying to access. 

Joe Carrigan: So in our example, you have a Bank of America account. You click on the Bank of - the fake Bank of America link. You enter your username, your password. They ask you for your birthdate, your telephone number, all this other stuff. 

Dave Bittner: And blood type. 

Joe Carrigan: Right, blood type. Exactly. 

Joe Carrigan: And then you don't get in, and you get a phone call from these guys. While they're on the phone with you, Dave, they're actually logging into your bank account using all the information. And if they encounter anything at this point in time - this is my speculation, but one of the reasons they keep you on the phone is if they encounter anything in the authentication process or the password reset process or whatever it is, they're going to ask you about that to verify some more information, and they're going to just enter it, and they're going to get right into your account, at which point in time they just start initiating wire transfers out of your account. 

Joe Carrigan: And the FBI says they have found that these people have taken hundreds of thousands of dollars out of people's accounts. 

Dave Bittner: Yeah. Well, I mean, one of the things that I think is particularly troubling here is that, you know, we talk about over on "Hacking Humans" all the time that if you get a link to something in an email - for example, let's say you get an email, and they're saying that they're from your bank. 

Joe Carrigan: Right. 

Dave Bittner: Let's say Bank of America or whoever you do your banking with. That you - we - our recommendation is never click that link. Instead, go to your web browser and put in the website and go directly to their website. In a way, this is short-circuiting that... 

Joe Carrigan: Right. 

Dave Bittner: ...Because it's relying on people's - either the tendency to, as you say, just search for the name of the bank - 'cause if you fat-finger it and you misspell it, you know, Google's going to be your friend and correct it for you, right? 

Joe Carrigan: Right, right. 

Dave Bittner: But this - by sort of inserting themselves either in through the ad process or just through natural search engine optimization, they're having the bad websites bubble up to the top. 

Joe Carrigan: Right, absolutely. And I don't know who to blame here, who to point the finger at. 

Dave Bittner: Yeah. 

Joe Carrigan: Obviously, I don't want to blame the victims. They're actually being victimized by these criminals. But I'm wondering if these ad companies bear some accountability here. These guys absolutely do not vet any ads that they get. They could not possibly do that. You look at Google's revenue streams, and advertising is the biggest revenue stream. They have millions of advertisers, and they don't have people that can go in and look at all these things. They might be able to write some AI algorithm about it, you know, to see if this is... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Something impersonating a banking site. 

Dave Bittner: Yeah. 

Joe Carrigan: But they're not. They're not doing that. And I'm sure that they're working on it 'cause I don't genuinely believe that Google wants this to happen. This is bad for Google. And I think they're probably working on something to stop this. 

Dave Bittner: Sure. 

Joe Carrigan: But in the meantime, they're letting people get abused this way. 

Dave Bittner: Yeah, yeah. I think it's another example where also a password manager can help you out because if you... 

Joe Carrigan: Absolutely. 

Dave Bittner: If you go to the fake website and summon your password manager to try to fill it in, you know, most password managers will say, well, hold on here a minute, cowboy. 

Joe Carrigan: Right. Yep. 

Dave Bittner: This is not the site that I had - you know, this is not where we usually go to log in here. Are you sure you want to do this? So you'll have that. 

Joe Carrigan: Right. Yeah, that is especially true with the browser-integrated password managers. 

Dave Bittner: Yup, yup. So another vote for password managers there. 

Dave Bittner: All right, well, it's an interesting story. Again, it's over on The Record by Recorded Future. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.