The CyberWire Daily Podcast 6.14.21
Ep 1353 | 6.14.21

Third-party data breach at Volkswagen. An anti-monopoly agenda with Big Tech in its crosshairs. Recovery ransom. How EA was hacked. Avaddon gives up its keys. Gamekeeper turned poacher?


Dave Bittner: Volkswagen warns North American customers of a third-party data breach. An anti-monopoly agenda advances in the U.S. House Judiciary Committee. Speculation about how the FBI recovered ransom from DarkSide. How EA was hacked. Is Avaddon going out of business? Craig Williams from Cisco Talos explains why they're calling some cybercriminals privateers. Rick Howard shares thoughts on professional development. And a strange case of a gamekeeper allegedly turned poacher.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 14, 2021. 

Dave Bittner: Volkswagen has warned customers it's experienced a third-party data breach. On Friday, Daniel Weissland, president of Audi America, sent affected Volkswagen Group customers in North America a letter warning them that their third-party data may have been exposed in a third-party data breach. The company did not name the vendor who left the data exposed. 

Dave Bittner: The letter began, quote, "on March 10, 2021, we were alerted that an unauthorized third party may have obtained certain customer information. We immediately commenced an investigation to determine the nature and scope of this event. The investigation confirmed that the third party obtained limited personal information received from or about customers and interested buyers, including you, from a vendor used by Audi, Volkswagen and some authorized dealers in the United States and Canada. This included information gathered for sales and marketing purposes from 2014 to 2019. We believe the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when we identified the source of the incident," end quote. 

Dave Bittner: Audi is one of Volkswagen's upmarket brands. The car company determined on May 24 that sensitive personal information was among the compromised data, and that discovery prompted Friday's letter. Much of the exposed information was relatively anodyne contact information, but this is still a matter of some concern. Other compromised data related specifically to customer interests, such as information about vehicles purchased, leased or even inquired about. And in some cases, the information was clearly more sensitive, including information relating to eligibility for a purchase, loan or lease. More than 95% of the sensitive data included was the driver's license numbers. A few other items of personally identifiable information, including dates of birth, Social Security or social insurance numbers, account or loan numbers and tax identification numbers, were also exposed in some cases. 

Dave Bittner: TechCrunch says Volkswagen put the total number of customers affected in Canada and the United States at 3.3 million, with more than 90,000 figuring among those who lost the most sensitive data. According to Reuters, most of the affected customers were Audi shoppers. 

Dave Bittner: The U.S. House Judiciary Committee announced its anti-monopoly agenda Friday, and they've got Big Tech in mind. The bills, which advanced with what The Verge characterizes as bipartisan support, are the result of 16 months of deliberation by the House Judiciary Committee. 

Dave Bittner: The agenda, which the committee calls "A Stronger Online Economy: Opportunity, Innovation, Choice," includes five measures. First, the American Innovation and Choice Online Act, which would prohibit discriminatory conduct by dominant platforms, including a ban on self-preferencing and picking winners and losers online; the Platform Competition and Opportunity Act, which would restrict dominant platforms' acquisition of competitors; the Ending Platform Monopolies Act, which would restrict self-preference that inhibits competition; the Augmenting Compatibility and Competition by Enabling Service Switching Act, which has the clever acronym ACCESS, which lowers barriers to entry and limits customer switching costs; and the Merger Filing Fee Modernization Act, which would increase merger filing fees to ensure that Department of Justice and Federal Trade Commission have the resources they need to aggressively enforce the antitrust laws. The measures will now be available for consideration by the House. 

Dave Bittner: So how did the FBI recover ransom payments from the DarkSide's wallets? They must have had, many believe, the private key to the crooks' wallet. 

Dave Bittner: But how did they get that key? The bureau hasn't said, understandably, but Decrypt offers some informed speculation. Recorded Future's Dmitry Smilyanets thinks the answer lies in the DarkSide's affiliate structure. The portion of the funds recovered probably belonged to a less skillful affiliate. Decrypt coldly puts it, quote, "mere amateurs who ran a franchise operation under the real masterminds," end quote. 

Dave Bittner: The feds recovered 63.7 of the 75 bitcoins Colonial Pipeline paid the DarkSide. The missing 11.3 Bitcoins amounts to 15% of the total, and 15% is what affiliates owe big DarkSide when their franchise scores ransom. 

Dave Bittner: Smilyanets believes the affiliate made the rookie mistake of hard-coding their private key into the ransomware package they deployed. They also rented a server in the U.S. from cloud provider DigitalOcean for temporary storage of their funds before they could be shipped overseas. But they delayed in moving their take out of reach, and the FBI was quicker than they were. That's informed speculation. It's speculation, but also plausible. For now, the FBI is not offering any explanations. 

Dave Bittner: How did the crooks hack EA's network? 

Dave Bittner: They got into the company's Slack channel and persuaded a well-meaning employee to give them a login token. The hackers explained to Motherboard that they got into EA's Slack using a stolen cookie they purchased in an underground market for about 10 bucks. Why were the cookies important? Among the information cookies can save are a user's login details, and in this case the details were enough to enable the attackers to log in. 

Dave Bittner: Once in, the attackers Slacked members of EA's IT support team, said they'd lost their phone at a party the night before and asked for a multifactor authentication token so they could get back to work. That succeeded twice. Once inside, they found a service for game developers and eventually stole the code. The attackers provided Motherboard with screenshots that documented their hack and also some EA documents they stole in addition to the source code they took. 

Dave Bittner: EA confirmed to Motherboard that these were indeed the general outlines of the way the incident unfolded. 

Dave Bittner: The money to be made through the theft of the code may well lie in the revenue streams that flow through the EA games themselves. Game coins amount to a virtual currency, and TechRepublic claims that players of EA's popular FIFA spent 1.5 billion on FIFA coins in 2020. Compromising the games' source code could make gold farming - that is, playing the games to earn game coins and then selling them to other players for more liquid fiat currency - far easier and far more lucrative than it already is. 

Dave Bittner: The Avaddon ransomware gang is closing shop, or at least rebranding. 

Dave Bittner: BleepingComputer on Friday received an anonymous emailed tip with attenuated and misleading anonymity - it pretended to be from the FBI - that included a link to a zip file and a password to open it. The file contained decryption keys to Avaddon ransomware. BleepingComputer shared the files with Coveware and Emsisoft, both of whom confirmed that they were indeed what they claimed to be. Avaddon's Tor sites have all gone dark, and while the gang has issued no communique saying it's going out of business, that seems to be the case. 

Dave Bittner: Avaddon had over the course of last week pushed its victims harder in what BleepingComputer calls a mad rush to finalize payments. By Friday, they had effectively shut down, possibly because they were feeling too much heat. That's the view Emsisoft expressed to BleepingComputer - quote, "the recent actions by law enforcement have made some threat actors nervous. This is the result. One down, and let's hope some others go down, too," end quote. 

Dave Bittner: Emsisoft has released a free decryptor for Avaddon victims. 

Dave Bittner: Others think Avaddon may simply be rebranding, undergoing one of the periodic name-changes and reorganizations such groups undertake. The Record by Recorded Future summarizes infosec community opinion to this effect. Avaddon had been among the more professional criminal up-and-comers, and it may well be that this episode is simply designed to throw their pursuers off, not to go to ground permanently. 

Dave Bittner: Finally, in a strange case in which a gamekeeper apparently turned poacher, a former security executive faces hacking charges. The U.S. Department of Justice has indicted Vikas Singla, identified in media reports as a former executive with Securolytics, a cybersecurity firm based in Atlanta, Ga. We reached out to Securolytics by email for comment over the weekend, and we'll update this story should we hear from them. 

Dave Bittner: Mr. Singla was arraigned Thursday on charges related to a cyberattack against Gwinnett Medical Center in 2018. The indictment lists 16 counts of intentional damage to a protected computer and one count of obtaining information from a protected computer. The specific actions alleged include disrupting phone service, obtaining information from a digital device and disrupting network printer service. 

Dave Bittner: The U.S. attorney alleges that the attack was conducted in part for financial gain. 

Dave Bittner: And joining me once again is the CyberWire's chief security officer and also our chief analyst, Rick Howard. Rick, welcome back. 

Rick Howard: Thank you, Dave. 

Dave Bittner: So this is the last episode of Season 5 of your "CSO Perspectives" podcast that you've got coming up this week. Now, first of all, I can't believe five seasons completed already. Boy, has - not that time has had much meaning through COVID, but, boy, time has flown with the seasons of "CSO Perspectives." Congratulations. 

Rick Howard: Yeah. Well, thank you. And you're right. And - but it has blurred. You know, I can't remember Season 2 from Season 3. I can't believe we're on Season 5. 

Dave Bittner: Yeah, yeah. Well, bring us up to date here. What are you covering in the last episode of this season? 

Rick Howard: So again, a special one for this last episode. We're ending on a subject that you and I care a lot about - right? - and it is how do you stay current with the latest news and advancements in the cybersecurity space? And, you know, I would say that most of our listeners, the reason they listen to us is one of their sources of that information. 

Rick Howard: But I put that question to our CyberWire Hash Table collection of experts, about 30 in all. And I will say that everybody has a different way to do it, including me - all right? - everything from what we want to learn about to the information sources that we trust to get it. So in this episode, we summarize all of that, and I think our listeners will get a lot out of it. 

Rick Howard: But you're right. We're at the end of Season 5. Season 6 starts on 19 July. And the "CSO Perspectives" team is busily working on those episodes right now. And as I just want to hint here, I may take some vacation between now and then, too - just, you know, just saying. 

Dave Bittner: OK, we'll allow it. We'll allow it. 

Rick Howard: (Laughter). 

Dave Bittner: Well, I think, you know, the good news is that if our listeners cannot bear to be without the "CSO Perspectives" podcast while you're on your hiatus... 

Rick Howard: As they should all be thinking. Yeah, as they should all be thinking. 

Dave Bittner: That's right. Yes. As they're crying their tears. But they can always listen to the Season 1 episodes, which we've been releasing over on the ad-supported side of the house. What do we have there this week? 

Rick Howard: Yeah. So, Dave, as you know, we've been releasing my cybersecurity first principle strategies episodes. And so far, we've already talked about zero trust and intrusion kill chain prevention. But for this show, we're talking about resilience and the fact that a good resilience program can greatly reduce your chances of being materially impacted in the future due to some cyber event. So that's a good one. 

Dave Bittner: All right. Well, check it out. It's over on Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Craig Williams. He's the director of outreach at Cisco Talos. Craig, it's always great to have you back. You know, you and your team have attracted a little bit of notice lately with a recent blog post regarding threat actors and perhaps a new naming convention. Why don't you unpack it for us and share what you all are up to? 

Craig Williams: Absolutely, Dave. So one of the things that everyone's familiar with is the traditional type of threat actor, right? And what I mean by that is effectively someone who's working directly for the government, being paid to develop malware, to accomplish missions for that government, right? That's the traditional APT model that everyone's aware of, and we've all read countless reports on various activities. 

Craig Williams: The problem we noticed is that over the last, you know, couple of years, we started to see more and more actors pursuing behavior patterns that appear to be in line with interests of certain countries, but we don't believe the actor is working directly for those countries. And when we started seeing the pattern a few years ago - I think Rob Joyce (ph) was probably the first one to do it when he named specific hackers behind the NotPetya attack - right? - and he put their pictures up on CNN. That was really the first time that somebody had called out specific people and put out an indictment, at least that I can remember, on national television. 

Craig Williams: Now, the result of that was that nothing happened. And so looking back at it - right? - why did nothing happen, and why does it seem like that's happening again and again? And as we saw with the Colonial Pipeline attack - right? - one of the very first things President Biden did when he addressed the country was to call on President Putin of Russia to take action. 

Craig Williams: And so this is kind of the situation we're in, where we see these threat actors that are operating within the interests of a country that are really, in a lot of cases, directly benefiting from what appears to be state protection. And so what we wanted to do was define a set of criteria to draw a big circle around these groups so that we could talk about them with purpose. 

Dave Bittner: And the name that you're using for them is... 

Craig Williams: Privateer groups. 

Dave Bittner: And what made you select that as opposed to, let's say - I don't know - mercenaries or - you know, there - you had choices here, right? 

Craig Williams: Absolutely. You know, one of the ones I was a big fan of was marauders, right? You know... 

Dave Bittner: (Laughter) OK. 

Craig Williams: You look up the pirate definition of marauders, it's people in pursuit of loot and plunder, I think it was. So, you know, it's all tongue-in-cheek, right? When we use these type of names, we're trying to accomplish two things. One is to have something that will stick in people's minds, right? And the second one is one that accurately describes the group. And so what we're seeing here with these privateer groups is they're acting a lot like privateer groups from history, where we saw people acting with a letter of marque for countries, doing things in the name of the countries with effectively legal immunity from breaking the laws that are in the countries. 

Dave Bittner: Well, you have a set of criteria here that you've outlined to put someone into the category of privateer. Can you go through that with us? 

Craig Williams: Yeah, absolutely. You know, the first one, and I think the easiest one to spot, is that these groups are benefiting from either direct or indirect state protection, right? And what does that mean? Well, when countries say, these three people were behind this attack that ransomed a hospital or shut down an oil pipeline, you know, that crippled a country, that put people's lives at risk, if not actually cost people their lives through the ability of the medical industry not being able to function or other things like that, and nothing happens, right? The state is, at a minimum, tolerating them and in a lot of cases outright providing protection for those attackers, even though they're breaking local laws. 

Craig Williams: And, you know, just to dive into that a little deeper - right? - that's a pattern we see repeated. And what's really interesting about that pattern is when you look into the types of malware that's often deployed by privateer actors, it's usually got specificity in who it targets, right? It'll ignore things like Cyrillic keyboard types... 

Dave Bittner: Right. 

Craig Williams: ...And it'll try and ignore, you know, the independent states. So it's often something like that. You know, that's a lot of very common behavior we see in privateer groups. 

Dave Bittner: They're more careful about who they don't hit, perhaps, than who they do hit. 

Craig Williams: The way we joked about it, and - right? - that's how we deal with discussing these type of things, was that imagine you were a bank robber, right? You're a bank robber. You don't mind being on the Most Wanted list, right? You want to be a successful bank robber, you're going to be on that list. And if you have state protection, doesn't really matter that much anyway. 

Craig Williams: But where you run into problems is when you make the top 10 list. No one wants to be on the top 10 list, right? That's how bad things happen to you. That's how a drone might come after you. Really, if you're a bad guy, where you probably want to stay is around the 11 to 15 range, where you're not on the nightly news by name, right? 

Dave Bittner: (Laughter) Right, right. 

Craig Williams: You don't want... 

Dave Bittner: A comfortable second-tier actor. 

Craig Williams: Yeah. You don't want the president of some of the most powerful countries in the nations calling the president of the country where you reside saying, you need to arrest this person or there will be consequences. So while we do see privateer groups benefiting from that state protection, I don't think that state protection is infinite, right? There is a limit to these things. And like we saw with DarkSide, there did seem to be a little bit of scrambling towards the end there. 

Craig Williams: So I think that's a good way to think about it - right? - they're benefiting from direct or indirect protection, but there are probably limits to that protection. And, you know, like we saw yesterday - right? - where people are going to start considering cyber actions on par with kinetic actions, we may see further, more influential consequences for these actors. 

Dave Bittner: Right, right. What are some of the other things that will put them in the privateer category? 

Craig Williams: I think the main one is the fact that the country is not cooperating with foreign law enforcement, right? And this also includes intelligence organizations. You know, in any normal country, in any country that behaves responsibly, that cares about people of Earth, when these type of crimes are committed that put people's lives at risk, they offer extradition. They offer assistance. They don't say snide remarks on TV and then nothing ends up happening, and the pattern of behavior continues and wreaks havoc around the world, you know, before a politically convenient meeting. 

Dave Bittner: Right, right. All right. Well, you all have a blog post about this. It's titled "Elizabethan England Has Nothing on Modern-Day Russia." You can find that over on the Talos blog. Craig Williams, as always, thanks for joining us. 

Craig Williams: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.