The CyberWire Daily Podcast 5.27.21
Ep 1342 | 5.27.21

Impersonation campaign targets China’s Uyghur minority. US DHS issues pipeline cybersecurity requirements. Recovering from ransomware. Notes on privateering.


Dave Bittner: Chinese-speaking operators are reported to be phishing to compromise devices belonging to Uyghurs. The U.S. Department of Homeland Security issues pipeline cybersecurity regulations. Security companies take various approaches to offering decryptors against ransomware. Huawei would like to chat with President Biden. Rick Howard speaks with authors Peter Singer and Emerson Brooking on their book "LikeWar: The Weaponization of Social Media." Our guest is Darren Shou of NortonLifeLock on the findings of the sixth annual Norton Cyber Safety Insights Report. And a few notes on privateers then and now, whether on the High Barbaree or the dark net.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 27, 2021. 

Dave Bittner: Researchers and security firms Check Point and Kaspersky report another campaign targeting China's Uyghur minority with messages and sites that impersonate U.N. and human rights groups. Quote, "attackers use fake United Nations documents and human rights websites to spread malware that has the ability to exfiltrate information and take control of victims' PCs," the report says, adding that the threat actor baited its attack in two ways. 

Dave Bittner: They created documents that appear to be from the U.N., using real U.N. information to ensure these looked authentic. The organization principally impersonated was the Office of the High Commissioner for Human Rights. They also set up websites for nonexistent organizations claiming to fund charity groups. Prominent among the NGOs impersonated was the Turkic Culture and Heritage Foundation. The Uyghur are a Turkic people. The campaign appears to have been highly targeted, prospecting a relatively small number of individuals, both Uyghurs living in China and some members of the Uyghur diaspora mostly resident in Pakistan. 

Dave Bittner: The report is reticent about its code-based attribution, saying, although the researchers were unable to find code or infrastructure similarities to a known threat group, they attribute this activity with low to medium confidence to a Chinese-speaking threat actor. When examining the malicious macros in the delivery document, the research team noticed that some excerpts of the code were identical to VBA code that might have appeared in multiple Chinese forums and might have been copied from there directly. 

Dave Bittner: That said, the target list is suggestive. It's difficult to come up with a Chinese-speaking threat actor interested in compromising Uyghur targets who wouldn't be working on behalf of the Chinese security services. But that, of course, is merely circumstantial. That, however, is basically the way MIT Technology Review reads the evidence. 

Dave Bittner: As expected, the U.S. Department of Homeland Security this morning released its cybersecurity requirements for pipelines. The Transportation Security Administration directive requires pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency and to designate a cybersecurity coordinator to be available 24 hours a day, seven days a week. It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days. 

Dave Bittner: Those requirements have been imposed, obviously, as part of a response to the DarkSide ransomware attack that disrupted Colonial Pipeline's operations earlier this month. While control systems were not apparently directly affected by the attack, Colonial's ability to track what it was delivering through its lines was affected. Some sources have represented Colonial's decision to halt operations as a coarsely commercial one. They couldn't bill for the product, so they stopped delivering it. But this seems misleading. Not being able to determine what's moving through your system with high confidence isn't just a business issue but probably a safety problem as well. 

Dave Bittner: The Wall Street Journal reports that Colonial last year passed up a TSA security audit of its systems, offering instead of the in-person audit TSA proposed a virtual inspection instead. TSA said that this happened with several other pipeline operators as well, who were, with the pandemic at its height, limiting their employees' exposure to in-person interactions. As these restrictions eased, operators began rescheduling TSA inspections. Colonial was doing so as the DarkSide attack hit them. Fast Company thinks organizations should expect more ransomware attacks in the future. The crime in its present form has grown too lucrative, and the tools have now become too commoditized, to expect any abatement. 

Dave Bittner: The security firm Bitdefender has replied to critics and made its case for releasing ransomware decryptors publicly as opposed to providing them quietly only to affected organizations. The company argues that because many victims are small and lack dedicated security teams and because many organizations don't disclose the attacks they suffer, the benefits of a general release of a decryptor outweigh the risks that the criminals will use the decryptor to improve their attack code. 

Dave Bittner: Emsisoft, well-known for providing decryptors, is an example of a security company that takes the other, more targeted approach to decryption. It's offered to help Waikato DHB recover from the ransomware attack the New Zealand healthcare agency has sustained. Emsisoft gives itself even odds of being able to deliver a decryptor, Stuff reports. Good hunting to both Bitdefender and Emsisoft. 

Dave Bittner: Nikkei Asia has published an open letter from a Huawei executive to U.S. President Biden in which Huawei urges the two parties to talk - maybe sovereign-to-sovereign talks, although the letter doesn't put it exactly like that. 

Dave Bittner: And finally, signs of connections between criminal groups like DarkSide and the Russian government's organs have led, as we saw yesterday, to Cisco's Talos Group's introduction of a new threat category to its taxonomy - privateers. Their discussion of cyber privateering has attracted considerable interest, and it's worth a few brief words about what actually makes a privateer. 

Dave Bittner: Privateering was outlawed by international convention in the late 19th century, but it had until then been a recognized form of lawful warfare. Privateers were not pirates. They were mariners who received from their government a letter of marque and reprisal that authorized them to take as prizes the merchant ships of their government's enemies. Thus privateers were legal combatants. Think of them as naval auxiliaries. The prizes they took were subject to adjudication in admiralty courts, and if they were found to have overstepped the terms of their letter of marque, they could be required to make restitution to the injured ship owners or the merchants whose cargo they'd seized. 

Dave Bittner: So privateers operated under explicit government authorization and within generally recognized limits. This isn't really what's going on with DarkSide and others like them. The category is a useful contribution to the threat taxonomy, and Talos is very probably right to see DarkSide as acting in the interest of, and with some form of authorization from, the Russian government. But the resemblance to classic privateering stops there. Extorting hospitals and critical infrastructure operators has no coloration of legality, which is no doubt one reason why Moscow has sought to maintain deniability. Cyber privateering is closer in some ways to the state-sponsored terrorism of the Cold War than it is to anything John Paul Jones, to mention one famous Russian admiral, would have recognized as a letter of marque. 

Dave Bittner: In any case, if you're a skid working from a tacky walkup in Chelyabinsk, buddy, then Robert Surcouf you ain't. And Captain Barrett probably wouldn't even have considered giving you a berth on the Antelope. And Krasnodar ain't Halfax, neither - no four-pounder for you, sir. 

Dave Bittner: The CyberWire's Rick Howard joins us once again with another entry in his series of interviews with cybersecurity authors who've had their books inducted into the prestigious Cybersecurity Canon. Here's Rick. 

Rick Howard: It's Cybersecurity Canon Hall of Fame week here at the CyberWire, and I'm interviewing all the winning authors for this year. Today's interview is with Peter Singer and Emerson Brooking, the authors of "LikeWar: The Weaponization of Social Media." And I started out by asking Emerson why they both felt compelled to write this book 

Emerson Brooking: Because we saw something coming down the pipeline. We had our first conversation about what would become "LikeWar" in the summer of 2013, back when everyone in D.C. was talking about a terrorist group called al-Shabab out of Kenya. And they were particularly famous for using Twitter and using it very effectively. But even then, we saw that it wasn't just going to be Shabab. It wasn't just going to be limited to Africa. There were going to be other terrorist groups that are going to use this tool and that maybe over time there would be more national militaries who'd be using this as an instrument of warfare as well. But when we had these initial framing conversations, I don't think we even anticipated that it would be the Russians, it would be these clandestine information campaigns targeting the United States, that there would be a rise of, you know, white extremism and white nationalism also fomented by social media and that it soon would consume our politics to the extent that it has. 

Rick Howard: Military influence operations have been around since the world was young, but so has media influence operations. In the book, the authors cite the Spanish-American War, where the St. Paul Globe newspaper changed its motto in 1894 to live news, latest news, reliable news, but no fake war news. So it's not that this is a new phenomenon. I asked Peter to explain why it seems so overwhelming today. 

Peter Singer: It's all been put on steroids. It's been driven viral when it's pushed through social media. When people were talking about social media, it was this assumption that it was going to aid the forces of democracy. It was only going to be for the good. And of course, what we found very early on was that it was a weapon, and it was a weapon that was being used, you know, by terrorist groups, criminal groups, Russian information warriors. 

Peter Singer: But to use that example of the Russians, it was taking the kind of operations that they had done back in the Cold War but making them move faster and with orders of magnitude greater effect than they'd ever had before. Campaigns that in the past were taking them years to influence a couple thousand people - it was taking them seconds to reach millions of people. The very same thing was playing out in celebrity. But the larger effect that we saw was a little bit of a riff off of the field of cybersecurity. We had become consumed with the idea of someone trying to hack the network, and yet what we were seeing was, in some cases, even greater effect from people hacking the people on the network by driving ideas viral. 

Rick Howard: The book is called "LikeWar: The Weaponization of Social Media." Peter, Emerson and I had a long-ranging discussion that covered way more details about the book, including homophily and why the U.S. is particularly vulnerable to these kinds of information operations, did the Russians effectively change the outcome of the 2016 presidential election and the things that governments, commercial organizations and individuals can do to build up a resistance to future attacks. You can hear that longer interview in my "CSO Perspectives" podcast exclusively on the CyberWire Pro subscription service. And congratulations to Peter Singer and Emerson Brooking for their induction into the Cybersecurity Canon Hall of Fame. 

Dave Bittner: The folks at NortonLifeLock recently released their sixth annual Norton Cyber Safety Insights Report, looking at cybercrime and identity theft. Darren Shou is CTO at NortonLifeLock, and he joins us with highlights from the report. 

Darren Shou: This is our sixth annual report, and we do it for two purposes. One is you really want to get an understanding of how consumers are feeling about cyber safety and privacy needs and concerns because the cybersecurity landscape is always changing and evolving, right? This year is a particularly interesting year given of all the changes that happen with COVID-19 and the transformation and acceleration of digital lives. And then we can take this work that comes out of the Cyber Safety Insights report and then also combine it with what our protection labs is seeing in our telemetry, from our threat telemetry databases. 

Dave Bittner: Well, let's dig into that together. I mean, as you mention, I think it's fair to say and I think all of us understand that this past year was a bit atypical. But one of the results of that is that people spent a lot more time online. 

Darren Shou: In fact, in our Cyber Safety report, most people - I think it was a little bit over 65% - said they spent more time online than ever before. And, of course, this makes perfect sense. You know, I'm a father working from home for the last year myself. My daughter immediately went to an online learning environment. I mean, it felt like it was overnight. 

Dave Bittner: And so how did that reflect in the findings for this year's report? What sort of things are you tracking? 

Darren Shou: Yeah, so you're right. You have a number of people experiencing cybercrime or are now also just experiencing identity theft. So what we saw was there were about 330 million cybercrime victims over the past 12 months that the survey covered and about 55 million identity victims. You know, kind of put that in perspective, you think about that being in the United States, 2 of 5 people experienced cybercrime as more and more people went online this year. I mean, that's a huge amount of folks experiencing kind of a double whammy, right? You've got the physical virus taking over the world and impacting us in unimaginable ways, and then we also have kind of the impacts of cybercrime - right? - whether it be from malware or phishing or fraud, right? 

Dave Bittner: Yeah, I was going to ask you to kind of spell out - I mean, what are the spectrum of things that people are experiencing here? What falls into the category of cybercrime as you all tracked it? 

Darren Shou: Right. So, I mean, this covers quite a bit, from malicious software to, you know, disruptions from the network access. You know, maybe it is even as you're working from home having your personal Wi-Fi network attacked or unauthorized access on a smart device that maybe had a web camera or takeover of a social media account or a gaming account as people went online. You know, one thing that was really personal for me was seeing that - you know, having my child being online but also having her experience a little bit of bullying as she was engaging in chat rooms, which was a brand-new experience for her to go online, see her teacher, see her colleagues, and even do kind of what I would call, I guess, a cyber playdate and yet experience maybe some unwanted, you know, interactions as people were getting used to this entire new way of living. 

Dave Bittner: That's Darren Shou from NortonLifeLock. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.