The CyberWire Daily Podcast 6.9.21
Ep 1350 | 6.9.21

Chinese cyberespionage in Russia? US Executive Order rescinds TikTok, WeChat bans. Operation Trojan Shield. Privateering. NATO’s Article 5 in cyberspace. Patch Tuesday notes.


Dave Bittner: SentinelOne attributes the cyber-espionage campaign against Russia's FSB to Chinese services. President Biden replaces his predecessor's bans on TikTok and WeChat with a process of engagement, security reviews and data protection. More on the FBI-led Operation Trojan Shield. Privateering, again. NATO's Article 5 in cyberspace. Joe Carrigan weighs in on recent high-profile cyber incidents. Our guest is Shashi Kiran from Aryaka on their 2021 State of the WAN report. And notes on Patch Tuesday.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 9, 2021. 

Dave Bittner: CyberScoop reports that SentinelOne believes it knows, roughly speaking, who hacked into Russian government networks last year. It was, the security firm says, Chinese espionage services, and not one of the Five Eyes. The espionage group they call the ThunderCats gets the credit, SentinelLabs reports, and it bases its conclusions on what it regards as decisive code similarities to campaigns the APT has earlier used against targets in Southeast Asia. 

Dave Bittner: SentinelOne researcher Juan Andres Guerrero-Saade told CyberScoop, quote, "the idea of Chinese targeting of Russian government, and vice versa, should not shock us. Sino-Russian relations are complex and involve hot-button issues like a shared border, diplomatic and economic interests," end quote. What is relatively unusual is Russia's decision to publicly call out a hostile espionage operation. Diplomatic signaling by press release is more common in the West. 

Dave Bittner: U.S. President Biden this morning issued an executive order that effectively rescinds his predecessor's bans of WeChat and TikTok. While acknowledging an ongoing emergency, the new executive order directs engagement, security reviews and data protection instead of outright bans. 

Dave Bittner: The FBI's satisfaction at the outcome of Operation Trojan Shield, which featured the use of an encrypted chat app under bureau control to identify criminals who thought they were safe from snooping, is well-deserved. It's also becomingly modest. Most of the bureau's fist-pumping has been done vicariously by its international partners. 

Dave Bittner: Most of the offenses were related to drug trafficking. Stuff summarizes the arrests and seizures - quote, "Operation Trojan Shield involved police swoops in 16 nations. More than 800 suspects were arrested, and more than 32 tons of drugs - cocaine, cannabis, amphetamines and methamphetamine - were seized, along with 250 firearms, 55 luxury cars and more than $148 million in cash and cryptocurrencies," end quote. 

Dave Bittner: New Zealand's take alone collared senior members of the gangs with picturesque names like Mongrel Mob, Head Hunters and Comancheros. 

Dave Bittner: Does the international police sting that collared more than 800 suspects who unwittingly used an encrypted chat app secretly run by the U.S. FBI mean that the underworld will be skittish about using encryption? Probably not. Texas News Today talked to a range of experts who point out that the underworld's track record is to simply move on to other apps when one is known to have been compromised. 

Dave Bittner: The FBI's other big success this week was its recovery of a substantial fraction of the ransom Colonial Pipeline paid the DarkSide. The feds had the key to one of the wallets the gang used to share profits with its affiliates, and they were able to use that to take control of the alt-coin the DarkSide had deposited there. It's a commendable clawback, but The Washington Post rains on the parade a little by pointing out that there's no single solution to ransomware. As long as it remains profitable, the hoods will continue to attack. 

Dave Bittner: Much recent ransomware activity has been regarded as privateering state-tolerated criminal activity. The crooks get to keep the money they steal, and the state - and for state, read Russia - gets economic damage to its adversaries. For adversaries, read the United States, among others. 

Dave Bittner: StateScoop reports that FireEye's Kevin Mandia told a New York state cyber conference that the U.S. was getting sucker-punched in cyberspace and that this would continue until the nation upped its defensive game. 

Dave Bittner: NATO General Secretary (ph) Jens Stoltenberg has said this week that a significant cyberattack could trigger NATO's Article 5, the collective defense provision under which the Atlantic Alliance treats an attack against one member as an attack against all members. He also pointed out that NATO exercises now include cyber operations as a routine part of their scenario. 

Dave Bittner: The Atlantic Council, where Stoltenberg spoke Monday, outlined his remarks on Russia and China. He sees a dual-track approach to Russia. Quote, "a pattern of aggressive actions from Russia has led NATO to beef up its presence on its eastern front and in the Black and Baltic Sea." 

Dave Bittner: But ahead of Biden's meeting with Russian President Vladimir Putin, which will follow the NATO summit, Stoltenberg said the alliance must maintain a dual-track approach. We have to be strong, firm. But at the same time, we need to strive for dialogue with Russia because Russia's our neighbor. We have to work on issues like arms control. 

Dave Bittner: Stoltenberg even raised the possibility of resuming the NATO-Russia Council, a forum for collaborative dialogue that has not convened since July 2019. Quote, "so far, the Russians are not answering in a positive way, but we have some contact with them now on the possibility of convening a meeting of the NATO-Russia Council," end quote. 

Dave Bittner: Stoltenberg sees China as a different problem. Quote, "we need to engage with China on issues like arms control and climate change. And therefore, China is not an adversary," end quote. But from a crackdown on ethnic minorities to blocking freedom of navigation, they don't share our values, Stoltenberg added. 

Dave Bittner: How should NATO respond? Given Chinese investment in European infrastructure, NATO's 2030 agenda includes stronger guidance for resilience, telecommunications, undersea cables, energy grids and critical infrastructure, and also investing in and working more on technology, sharpening our technological edge. 

Dave Bittner: Researchers at SecurityScorecard tell Bloomberg that the REvil gang, in the course of their ransomware attack against meat processor JBS, succeeded in taking data from Australian and Brazilian units of the company. 

Dave Bittner: Yesterday was Patch Tuesday, and Microsoft addressed 49 issues, five of them rated critical, the rest assessed as important. Six of the vulnerabilities were zero-days that have been undergoing active exploitation in the wild. 

Dave Bittner: Intel also patched yesterday, addressing 73 vulnerabilities in 23 advisories. 

Dave Bittner: Onapsis reports that SAP has issued 20 fixes to its products. Memory corruption issues are among the important vulnerabilities addressed. 

Dave Bittner: And Adobe also patched, issuing fixes for 41 vulnerabilities against 10 products. 

Dave Bittner: Researchers at Aryaka Networks recently published the latest edition of their State of the WAN report, highlighting trends in SD-WAN and SASE planning and deployment. I spoke with Shashi Kiran from Aryaka for some of the highlights. 

Shashi Kiran: This is something that we use to shape our own road map. And we have a global presence with customers, a global footprint. And we don't see a report out there in the industry that reconciles all the nuances and the trends in a detailed way across different countries and regions. And so it's a good exercise for us to get in front of these trends and use them as a way to guide our own road maps. But at the same time, we also then end up sharing this with customers and prospects and partners and becomes an invaluable part leadership asset for them to use in their own planning efforts, which, you know, is doubly beneficial as a result. 

Dave Bittner: What sort of things are you tracking in terms of challenges that folks are facing from a WAN point of view? 

Shashi Kiran: The biggest challenge that we have seen, aside from, you know, complexity, is really the focus on application performance. The WAN is really the lifeblood of the organization if you look at being able to connect users, regardless of which location they're operating from and the kind of applications that they're using. And if you don't have reliable performance, then it ends up really having an impact, a negative impact on employee productivity and performance. So that's been sort of top of mind. 

Shashi Kiran: And we've also seen, as more applications became cloud-ready and enterprises adopted a cloud-first approach to their WAN, they're also moving away from more static protocols like MPLS, which have been around for a couple of decades now - very reliable, focus on performance, but they are really not meant for change management and dynamic nature of the organizations today, where businesses are rapidly evolving. 

Shashi Kiran: So that has led to, you know, greater preference towards more agile architectures, SD-WAN and SASE being amongst them. But we've also seen, going back to this notion of complexity, that enterprises don't necessarily want to go build out a set of boxes by themselves and manage it by themselves. So we're seeing there's increased preference moving towards managed services where they would ideally like to consume these services based on their usage model rather than go with the do-it-yourself approach and manage that inherent complexity. 

Shashi Kiran: These are some, you know, top-of-mind things that we saw come out very prominently in this year's report. 

Dave Bittner: That's Shashi Kiran from Aryaka Networks. Their State of the WAN report can be found on their website. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: So I wanted to touch base with you today about some of the trends that we're seeing when it comes to ransomware attacks. The attackers are upping their game and shifting their targeting. What do you make of all this, Joe? 

Joe Carrigan: That's - what do I make of it? I don't know what I make of it yet, but it's an interesting trend. Normally, we see them going after businesses, right? 

Dave Bittner: Right, right. 

Joe Carrigan: And they're targeting businesses who they know have deep pockets, and then they're basing their - they were basing their ransom demands based on the company's revenue. They were actually doing a lot of business analysis in order to do this. 

Dave Bittner: Right. 

Joe Carrigan: Now they've kind of shifted from doing that to shutting down things, to shutting - well, to shutting things down. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? Making it so that services are not available to the general public, things like the Colonial Pipeline shutdown that was carried out by DarkSide. And then DarkSide saw that - or REvil saw that DarkSide got $4 million out of that. And, of course, that only incentivizes them to attack. And they've since attacked the JBS meat plant, or a bunch of meat plants, and as well as the New York subway and Martha Vineyard's (ph) ferries. 

Dave Bittner: Yeah, yeah. I wonder how much of it's intentional. I mean, first of all, I guess it's important to note that when it came to Colonial Pipeline, it wasn't the ransomware folks who shut down the pipeline. It was Colonial who shut down... 

Joe Carrigan: Right. 

Dave Bittner: ...The pipeline because they couldn't do their billing, and they were concerned about that. So - and that may be a distinction without a difference. The bottom line is... 

Joe Carrigan: Right. 

Dave Bittner: ...The stuff didn't flow, right? 

Joe Carrigan: Right. And the - there was an article in The Wall Street Journal where the CEO explained why he did it. He said they didn't know how far they got into the system. So he thought they may have been in the operational technology. 

Dave Bittner: Right. So better to be safe than sorry... 

Joe Carrigan: Right. 

Dave Bittner: ...And shut things down than perhaps have things go really off the rails. 

Joe Carrigan: Right. 

Dave Bittner: This was the rationale. 

Joe Carrigan: Yes, agreed. And I think that was the right decision to shut the pipeline down. 

Dave Bittner: Yeah. 

Joe Carrigan: If you don't have faith in the system running it, you shut it down. Same with the meat plant. There's a lot of SCADA systems in there that - you know, when I first heard about this, I'm like, well, what kind of SCADA systems are in a meat processing plant? But there are a lot. There's a lot of temperature control stuff that is absolutely imperative for food safety. 

Dave Bittner: Right. 

Joe Carrigan: There's pumps. Lots of pumps are controlled by these SCADA systems. And now they're shutting down a ferry system. 

Joe Carrigan: This is - has a direct impact on people's mobility. You know, these are things that impact all of us. And it's a change from the almost nameless, faceless ransomware attack on a corporation that - oh, no, now this corporation can't do their job, and they have to pay some ransom or have to rebuild all their computers. Now it's things like, hey, my meat prices are going up. My gasoline prices are going up. I can't get where I need to be. It's a change. 

Joe Carrigan: And I find it interesting that, you know, right now, the Department of Justice is prioritizing these attacks. 

Dave Bittner: Right. 

Joe Carrigan: They're saying that's the same level of terrorism. The - Business Insider has a story today saying that the FBI director, Christopher Wray, has compared the latest spate of ransomware attacks to the U.S. - in the U.S. to 9/11. I don't know if that's a valid comparison. I'm not sure that very many people have died as a result of these ransomware attacks. 

Dave Bittner: Right. 

Joe Carrigan: But it's certainly an attack. It is certainly a series of attacks. And DarkSide says that they've gone away, right? 

Dave Bittner: Yeah. Right, right. 

Joe Carrigan: That's what they said when they were GandCrab, right? 

Dave Bittner: Yeah, yeah. Exactly. 

Joe Carrigan: So they'll be back. You know, you don't make $4 million and then just disappear in this kind of market. 

Dave Bittner: Yeah. And I wonder if they've all sort of gone a bridge too far. Or, you know, I guess the sports analogy would - have they out-kicked their coverage, in that by doing this, yeah, they got their 4 million bucks or whatever the ransom was, but now they have the attention of the U.S. government at the highest levels. 

Joe Carrigan: Right. 

Dave Bittner: And, you know, President Biden has said he'll be speaking with President Putin about this when they get together in a few weeks. It'll be interesting to see to what degree is he able to apply pressure to try to stop this. 

Joe Carrigan: Right. Yeah, we'll have to pay attention to see how that goes. It'll be interesting to watch. 

Dave Bittner: Yeah. I think it's also interesting how it puts ransomware in the larger global scale where, you know, a nation could be - could you - for example, the U.S. could put financial pressure on the Russians. The U.S. could have more sanctions on the Russians. 

Joe Carrigan: Right. 

Dave Bittner: In other words, it's not just sort of tit for tat within cybersecurity. It's reached the point where we're using the other levers of diplomacy that we have... 

Joe Carrigan: Right. 

Dave Bittner: ...To try to say, hey, knock it off, knuckleheads. 

Joe Carrigan: Right. And the Russian counterargument to that is these are criminal elements within our organization or within our country. We don't have control over these guys. 

Dave Bittner: Yeah. 

Joe Carrigan: You don't have control over your criminal elements. 

Dave Bittner: Yeah. 

Joe Carrigan: How can you expect us to have control over ours? 

Dave Bittner: (Laughter) Right. Yeah, OK. 

Joe Carrigan: Right. I hear you, Dave (laughter). 

Dave Bittner: Yeah. I mean, you know - I guess, you know. Yeah. All right (laughter). I think we all know, you know, the degree to which we should take those sorts of statements coming out of Russia seriously. 

Joe Carrigan: Right. Yes, agreed. 

Dave Bittner: History has proven us the degree to which we should take those sorts of statements coming out of Russia seriously. So we will. 

Dave Bittner: All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.