The CyberWire Daily Podcast 7.21.21
Ep 1379 | 7.21.21

Historical threats to industrial control systems inform current security practices. Ransomware privateering and side-hustling. Updates on the Pegasus Project.


Dave Bittner: CISA warns of threats to industrial control systems. Ransomware can be operated either in the course of privateering or as an APT side hustle. Security firms outline new and evolving threats and vulnerabilities. Reaction continues to the Pegasus Project's reports on intercept tools. Joe Carrigan unpacks recent Facebook revelations and allegations. Our guest is Dave Humphrey from Bain Capital on his tech investment bets and predictions. And do you know what military grade means? Neither do we, but we think we have an idea.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 21, 2021. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released an account of six cyberattacks on industrial control systems that occurred between 2011 and 2016, suggesting that more such attacks may be in the offing. The history is interesting in its specific attribution of the attacks to nation-states - one each to China and Iran, the remaining four to Russia. 

Dave Bittner: CISA also updated its alert on a Chinese cybercampaign that targeted pipelines between 2011 and 2013. The campaign wasn't confined to a single pipeline or a single operator, and the attackers generally approached their targets by social engineering. CISA wrote, quote, "23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spear-phishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, three were near misses, and seven had an unknown depth of intrusion," end quote. 

Dave Bittner: The goal of the campaign seemed to be reconnaissance and staging. CISA concluded that the U.S. government has attributed this activity to Chinese state-sponsored actors. CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations. 

Dave Bittner: Theft of intellectual property was not the apparent goal. Again, quoting CISA, "CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access. One victim organization set up a honeypot that contained decoy documents with content that appeared to be SCADA-related data and sensitive organizational information. According to this organization, the SCADA-related decoy content was exfiltrated within 15 minutes of the time it was made available in the honeypot. Other sensitive decoy information, including financial and business-related information, was ignored," end quote. 

Dave Bittner: The warnings this week, and the attribution of ICS threats to three major hostile states, would seem to figure in the U.S. response to more recent incidents, including not only MSS exploitation of vulnerable Microsoft Exchange Server instances, but also Russian-tolerated or enabled ransomware attacks. It also coincided with the U.S. Transportation Security Administration's issuance of further security guidelines for pipeline operators. The guidelines were motivated in the first instance by REvil's ransomware attack on Colonial Pipeline, but CISA's revisiting of China's earlier campaign is more than coincidence. 

Dave Bittner: Russian toleration of ransomware gangs operating from its territory against targets in other countries was a sticking point in the Russo-American summit and follow-on conversations. The relationship between gangs and the Kremlin has been described as analogous to privateering. The gangs are able to romp freely through permissible targets and keep whatever they can steal. 

Dave Bittner: The Washington Post today describes how ransomware has become a feature of recent Chinese activity. In this case, the Ministry of State Security appears to contract with organizations to carry out operations under MSS direction. The contractors are then permitted some latitude for extortion or theft. This is more of a side hustle than it is privateering. The threat actors aren't roving cyberspace looking for prizes, but they're able to take prizes in the course of operating under state direction. 

Dave Bittner: Several reports from security firms this morning describe research into attack vectors and malicious techniques. Intezer describes its detection of a new attack vector hitting Kubernetes clusters through misconfigured Argo Workflows instances. Again, it's the configuration. 

Dave Bittner: Zscaler looks at Joker malware and outlines some of the techniques its operators have used to insinuate their code into apps that make it into the Google Play Store and, from there, infect victims who install the malicious apps. The techniques include URL shorteners, string obfuscation key changes and abusing the notification process. Joker steals sensitive information from infected devices and typically enrolls users in expensive and unwanted services. 

Dave Bittner: ReversingLabs describes how an NPM package can be used to introduce vulnerabilities into software supply chains. They found one NPM package that's being used to steal credentials stolen in Chrome browsers. 

Dave Bittner: Bitdefender has seen a spike in the wild of a new malware strain, MosaicLoader, a downloader that can deliver a range of payloads to victims. MosaicLoader propagates by advertising and representing itself as cracked software. Its victims are typically would-be users of pirated software. This should give everyone an incentive to resist the temptation to download stuff they shouldn't download. It's unlikely it will amount to a virtual free lunch. 

Dave Bittner: Investigation into the Pegasus intercept tool continues with The Guardian's account of alleged corrupt abuse of surveillance tools. While much of the attention NSO Group has drawn has centered on its sale of Pegasus to repressive regimes, there are other problems with the tool's dissemination. In the case of at least one journalist murdered in Mexico, apparently by a drug cartel, The Guardian suggests that the intercept tool could have been delivered to the cartel by corrupt law enforcement officials who had access to it in the course of their duties. 

Dave Bittner: Reaction to government use of Pegasus continues to run strongly in many countries. Opposition members of India's Parliament protested what The Washington Post quotes them as characterizing as a "national security threat" posed by the government of Prime Minister Narendra Modi itself, which has been accused of using NSO Group tools to monitor journalists, dissidents and political opponents. 

Dave Bittner: The Post also says that France has opened investigations into reports that French officials were themselves targeted by operators of the intercept tool. Morocco is suspected of running such an operation against French targets, but the North African country's government has denied doing so. 

Dave Bittner: And finally, a lot of reporting about cyber incidents lately has referred to military-grade malware or spyware or cyberweapons. A lot of the coverage of the Pegasus Project has used the expression. We don't want to criticize reporters and editors doing their front-page best, but we'd like to point out that military grade is almost invariably a marketing expression. In the case of intercept tools like Pegasus, it means nothing more than effectively used, well designed, or maybe expensive or sophisticated. But military grade carries a lot of scare value and also a gloss of official-sounding gravitas. 

Dave Bittner: But really, there's no such thing as military grade, although we've heard it applied to the sheet metal used in pickup truck beds as well as malware. There is, in the U.S. at any rate - and other countries have their equivalents - MIL-SPEC, which means, roughly, produced in accordance with the requirements specified in a contract. So our military desk pleads, let's resolve to hold off on calling anything military grade. 

Dave Bittner: My guest today is Dave Humphrey, co-head of Bain Capital's North American private equity business, where he's responsible for $10 billion in technology portfolio investments. I checked in with Dave Humphrey for his insights on the cybersecurity investment market, which areas have his attention and where he thinks we're headed. 

Dave Humphrey: Well, I think it's a fascinating time to be investing in technology and to be investing in cybersecurity broadly and, I think, information and identities that are flowing through all of those cloud and on-premises applications. And so we're seeing a lot of growth in just the security markets generally as there's a lot of growth in the technology markets, but we're also seeing a lot of innovation as new ways of using technology and new methods of deployment or growing methods of deployment are leading to new attack vectors and also therefore leading to new methods of defense. So I think it's an exciting time to be investing in technology writ large and certainly an exciting time to be investing in the security sector. 

Dave Humphrey: I think if you were to rewind several years ago, there were lots of cybersecurity themes around fortifying the perimeter and defense and depth, trying to keep bad actors out of networks or out of corporate technology. I think now there's a broad acknowledgement that security cannot just be about keeping bad actors out of corporate environments, but rather presuming that they are indeed in and using things like artificial intelligence and machine learning to evaluate and detect and respond to those actors that may already be inside corporate environments and to protect the identity and data information that's flowing in and out of corporate networks. 

Dave Bittner: What sort of advice do you have for the companies that are out there who are on the rise? You know, those startups who are hoping to attract the attention of organizations like your own - what sort of advice would you have for them? 

Dave Humphrey: So the advice that I would have really for any company, whether a startup or an established business, is to focus on what they do best and to distance their offering relative to their competitors and to do so in a way that creates a lot of value for their customers. We gravitate to businesses that solve a really important problem and that create real competitive advantage in doing so because they can continue to innovate and grow and scale on the basis of that premise. 

Dave Humphrey: Our recent investment in ExtraHop, which - or our pending investment, I should say, in ExtraHop, I think, is one example of that in the security sector. Our investment in Nutanix last year is another in the infrastructure markets. But we really would encourage businesses to focus on what they do best and to keep innovating. 

Dave Bittner: Is your outlook optimistic? Are you looking forward to the next few years here? 

Dave Humphrey: I'm a perpetual optimist, and so our outlook is indeed optimistic. I think that we see a lot of innovation going on. I mean, it's pretty remarkable, if you step back, the smartphone as we know it today, the iPhone, still only came out 14 years ago - the iPad, I think, 11. Cloud infrastructure on the basis of which we know it really only became a scale piece of enterprise infrastructures within still probably the last five, six, seven years and still has a long way to go. 

Dave Humphrey: All of that innovation and change is creating yet further innovation and growth and opportunity and allowing businesses to come up with new ways of doing things, and things that we can't even imagine as we sit here today. So as investors, I think that's an exciting thing. We're looking for businesses that have created some real advantage in doing that and supporting those businesses through that journey. 

Dave Bittner: That's Dave Humphrey from Bain Capital. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, this new book came out targeting Facebook. It's called "An Ugly Truth." It's written by Sheera Frenkel and Cecilia Kang. And it's quite sensational and attracting a lot of attention. But there are some specifics here that I think are worth digging into. I know a couple things have caught your eye. 

Joe Carrigan: Yes. 

Dave Bittner: What are you looking at here, Joe? 

Joe Carrigan: So I'm looking at the article that was on Business Insider earlier last week. And it talks about how between January of 2014 and August of 2015 - so, like, almost a period of two years - the company fired 52 employees over exploiting user data for personal purposes. 

Joe Carrigan: One engineer, who is unnamed, tapped into the data to confront a woman with whom he had been vacationing in Europe after she left the hotel that they had been sharing. So they were at the hotel. They got into some kind of spat. And she said, that's it; I'm out of here. And then he was able to find out where she was staying because he accessed her personal data on Facebook and found out her location and was able to physically walk up to her. 

Joe Carrigan: Another Facebook engineer used his employee access to dig up information on a woman with whom he had gone on a date after she ghosted him, right? And in the company systems, he had access to years of private conversations with friends over Facebook Messenger, events attended, photographs uploaded - and here's one of the parts that really irritates me - including those she had deleted, right? 

Joe Carrigan: So I know I hear you on "Grumpy Old Geeks" frequently asking about this. What does deleted mean on Facebook? It doesn't mean anything. 

Dave Bittner: (Laughter). 

Joe Carrigan: It just means we're not showing it to you anymore. 

Dave Bittner: Right. Right. Deleted for thee but not for me. 

Joe Carrigan: Right. Posts that she had commented or clicked on - which is another interesting thing. Facebook tracks just about everything you do with that mouse. They have scripts in the background that send everything back. So even clicking on a post, they know that you clicked on it. We've actually seen information that if you start responding to something and then you decide, nah, I'm not going to respond; I'm not getting involved in this, they still have what you started typing. They still have that in their records. And it's actually something that's fairly simple to do with JavaScript on the back end. It just sends it up to the server. And he was able to access all this information based on the Facebook app she had installed on her phone. 

Dave Bittner: Right, and real-time location data as well. 

Joe Carrigan: And he was able to see - yeah, he was able to see her real-time location. So he was able to really, really stalk this woman... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is unconscionable. The book says that Facebook employees were granted user - this kind of data in order to, quote, "cut the red tape" that would slow down the engineers. But there was nothing but just honest behavior keeping the employees from accessing things they shouldn't be, from abusing their access. And that is probably good for 98% of the people. But Facebook had at the time 16,000 employees with access to this user data. 

Dave Bittner: Right. 

Joe Carrigan: So, you know, do the math on that (laughter). It's a lot of bad actors who can just access the information. Now, Facebook says, every time we found somebody accessing the information, we promptly fired them whenever they accessed it inappropriately. But how many times do they not catch people inappropriately accessing the information? I'd like to know that. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: It's - you know, there have been suggestions within Facebook to limit the number of people that have access to this data to about 5,000 (laughter), which is, you know, a step down from 16,000 but still a lot of people. This is why I - you know, I really don't trust Facebook, Dave. I really don't. 

Dave Bittner: Yeah, yeah. Yeah. I - you know, I think this - you want to - it would be great if we lived in a world where you could rely on the goodwill of people to make the right decisions and do the right things. 

Joe Carrigan: Right. 

Dave Bittner: But in a world where human beings have emotions (laughter)... 

Joe Carrigan: Yes. 

Dave Bittner: ...That we - and I say there's probably not one among us who has not been carried away by our emotions and behaved in a way that we were later embarrassed by or ashamed of - you have to put guardrails on these things, on people's private information, as this shows. 

Joe Carrigan: Absolutely. 

Dave Bittner: You know, a jilted lover may not be reacting in a rational way. And so you need to protect the people on your platform. And to me, this speaks to a culture - certainly back when this was a problem. I mean, you know, this may be a fixed problem by now. 

Joe Carrigan: Right. 

Dave Bittner: But as this book points out, back in 2015, that was not the case. 

Joe Carrigan: Yeah. 

Dave Bittner: Facebook was prioritizing, you know - what is the - move fast, break things. They were prioritizing... 

Joe Carrigan: Right. 

Dave Bittner: ...Their engineers' ability to do the work that they wanted to do over their users' privacy. 

Joe Carrigan: Right. 

Dave Bittner: And if you're a Facebook user, I think you need to take that into consideration how much you engage with that network. And particularly when you see things like your deleted photos aren't actually deleted, to me, that's a real violation of trust. 

Joe Carrigan: Right. I would agree. I mean, that would be something that would be simple to implement, right? If I go ahead and I say I want to delete this photo, I think we both understand, Facebook, that I'm wanting to delete this photo and you... 

Dave Bittner: (Laughing). 

Joe Carrigan: I - it's pretty clear I expect you to also delete the photo, right? 

Dave Bittner: Right. I - yeah. 

Joe Carrigan: I don't expect you to keep it on your hard drive forever and keep it associated with me. 

Dave Bittner: Nope. Nope. 

Joe Carrigan: I don't expect you to set some flag in the database to delete it. I actually want that photo deleted from your system. 

Dave Bittner: Well, Joe, you clearly have not read the EULA from start to finish where... 

Joe Carrigan: No, of course not, Dave. Who does read the EULA from start to finish? 

Dave Bittner: (Laughter) Right, right. Exactly. 

Dave Bittner: All right. Well, as we said at the outset, I mean, this book is attracting a lot of attention, and certainly a bit sensational in the way it presents things. But I think at the core, there are some really interesting issues here worthy of discussion... 

Joe Carrigan: I agree. 

Dave Bittner: ...So glad we had the opportunity to discuss it here. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, the military-grade Gina Johnson, Bennett Moe, Chris Russell, John Petrik, military-grade editor Jennifer Eiben, military-grade CSO Rick Howard, Peter Kilpe. And I'm Dave Bittner, decidedly not military grade. Thanks for listening. We'll see you back here tomorrow.