The CyberWire Daily Podcast 7.22.21
Ep 1380 | 7.22.21

Extortion is the motive in the Saudi Aramco incident. Updates on the Pegasus Project. Chinese cyberespionage and Beijing’s tu quoque. FIN7 resurfaces, and a post-mortem on Egregor.


Dave Bittner: It's extortion after all at Saudi Aramco. Controversy and investigation over alleged misuse of NSO Group's Pegasus intercept tool continues. Warning of Chinese espionage from ANSSI and China's denunciation of all this kind of baseless slander. Phishing in Milanote. FIN7 resurfaces after the conviction of some key members. Dinah Davis from Arctic Wolf on the importance of identity management. Our guest, Jenn Donahue, shares key strategies for mentoring and supporting female engineers, scientists and leaders of the future. And IBM sifts through the ashes of a ransomware gang for a look at the business of crime.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 22, 2021. 

Dave Bittner: The motivation for the data theft incident at Saudi Aramco had been obscure, but it's now become clearer - it's conventional extortion. Saudi Aramco yesterday said, the AP reports, that the data loss incident it sustained has indeed become an extortion attempt. Attackers who obtained company files, apparently through a third-party contractor, are demanding $50 million in exchange for a promise to delete the data. If they're not paid, they intend to leak the stolen files. 

Dave Bittner: The controversy over the proliferation and use of NSO Group's Pegasus intercept tool continues. The Washington Post, one of the organizations participating in the Pegasus Project, writes that among the devices compromised with the tool were phones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi. 

Dave Bittner: NSO Group has consistently said that its product is designed for and sold to government law enforcement and security organizations for legitimate purposes and that the list of 50,000 phone numbers Forbidden Stories and Amnesty International obtained has nothing to do with NSO. NSO Group CEO Shalev Hulio told CTECH, quote, "I'll give you a simple statement - journalists, human rights activists and civil organizations are all off-limits," end quote. The list of numbers the Pegasus Project obtained has been widely reported as amounting to a surveillance target list. One of the leaders whose associates figure on the list is the Dalai Lama, presently in long-term exile in India, which the Guardian suggests may represent an interest on the part of India. 

Dave Bittner: NSO Group has claimed that it does what it can to monitor abuse of its products and that it's selective in whom it sells to. But the company has long been criticized for the misuse that's been made of Pegasus. Investigations into the use of Pegasus are now underway in France and Israel. France is investigating reports that its leaders were placed under surveillance from Morocco. And Israel has established a task force, the Guardian says, to both investigate product Pegasus' reports and coordinate a response. Allegations of the use of surveillance tools has become a significant political scandal in India, Mexico and Hungary. The Electronic Frontier Foundation argues that the results of Project Pegasus show the need for both better device security and international bans on dragnet surveillance. 

Dave Bittner: ANSSI, France's national cybersecurity agency, has warned that APT31, also known as Zirconium and Judgment Panda, a Chinese industrial espionage group, is hijacking home routers to lend resilience to its attack infrastructure. China continues to frame criticism of its extensive cyber-espionage operations - notably its exploitation of vulnerabilities in Microsoft Exchange Server, but as we've seen, not confined to that particular campaign - as essentially American-led disinformation. It is, the government-controlled Global Times says, a wide-ranging plot to slander and contain China. The co-conspirators include the U.S., NATO, the European Union, Australia, Britain, Canada, Japan and New Zealand, with U.S. President Biden cast in the unlikely role of Professor Moriarty, the criminal mastermind pulling the secret strings. The Global Times argues that, quote, "this unusually broad coalition of Western countries has coalesced to publicly blame China for cyberattacks," end quote. 

Dave Bittner: Really, Beijing's representatives say, the international villain is the U.S., which since 2000 has engaged in relentless cyber-espionage against China. It's all in vain, of course, since China's rise is inevitable and irreversible. But still, Beijing says, it's time the U.S. were brought to book as a rogue state. So the response is a routine tu quoque. One novel wrinkle in the Global Times article is its identification of the SWIFT international fund transfer system as a tool of the U.S. intelligence community, which uses it to track and presumably influence the flow of money to and through the world's banks, especially those in the Middle East and Latin America. 

Dave Bittner: Security researchers at Avanan have found the popular Milanote collaboration and note-taking app being used to host and distribute phishing messages with malicious links. The victims get an email with an attachment said to be an invoice. Opening the attachment renders a document with a link inviting the prospective mark to open docs. If the mark clicks, they're directed to a page in Milanotes, which again, invites them to open docs. If they do at this point, they're taken to the malicious link. It's a multistage phishing lure. And at each stage, it more or less looks like something from the collaboration tools many use in ordinary business, so caveat clicker. 

Dave Bittner: eSentire reports that despite the arrest and conviction of some leading members of the FIN7 gang, the criminal group also known as Carbanak, FIN7 is back in action. The gang used a bogus legal action against Brown-Forman, the large Louisville-based distiller whose brands include Jack Daniels and Old Forester, as its phish bait. Quote, "the initial stage of the malware arrives as an Excel attachment, which downloads and executes a variant of the JSSLoader Remote Access Trojan," eSentire writes, adding that "the variant has been reported as being used by the FIN7 group. The malicious Excel document leverages Windows Management Instrumentation to install the RAT. Once installed, JSSLoader provides the threat group with a backdoor to the victim's computer and the organization," end quote. 

Dave Bittner: FIN7 is financially motivated, involved in credit card theft and having some connections with the Ryuk ransomware gang. Most recipients of an odd-looking letter of complaint might well regard it as phishy, but eSentire points out that large law firms working across several verticals are the kind of target that might well be inclined to open it as a routine communication. This particular phishing attempt seemed opportunistic and not necessarily long prepared or closely targeted. 

Dave Bittner: Researchers at IBM's X-Force, sifting through the ashes the Egregor ransomware gang left behind when it was burned and dismantled back in February in an international sting operation, have offered some insights into the way the gang presented itself in chats with its victims. The gang offered holiday wishes, clucked over the hard times the victims might be going through and complained about the boss because, gosh darn it, we're just regular working stiffs over here and our suits are as much a pain in the patootie as yours probably are. So the chatter presented the gang as well-organized, with well-defined roles including the financial department, data manager, IT specialists, PR manager, publications manager and decryption tool master maker. It's what might be called military-grade organization if we hadn't forsworn using that expression. Let's just say that the hoods want to be perceived as running their criminal operation like a business. And all that compassion - eyewash and smug PR. So they really are running their crimes like a certain kind of business. But don't be deceived. As IBM puts it, despite the holiday wishes and reduced ransom in some instances, the December 2020 chat logs obtained by X-Force and Cylera demonstrate that many Egregor attacks were a successful, ruthless criminal operation. 

Dave Bittner: There are encouraging signs that more women are pursuing technology careers and cybersecurity careers in particular. Jenn Donahue is a captain in the U.S. Navy and president of JL Donahue Engineering, as well as being a popular lecturer and mentor. She joins us with insights on providing meaningful mentorship to that next generation of young women. 

Jenn Donahue: So I think that I've been an engineer since I was about 10 years old. And this basically started when I had a Barbie house. And I had more fun actually tearing it apart, putting it back together, reconfiguring it than I ever did actually playing with Barbie. I mean, I honestly don't think she ever got to live in the house 'cause it was always being renovated. 

Dave Bittner: (Laughter). 

Jenn Donahue: And that's basically how it all started. And I have had the most exciting journey. I went to Texas A&M. I became an ocean engineer. Then I joined the Navy, and I became a civil engineer with them. I got to travel all over the world, did all kinds of really interesting projects from building roads, drilling and blasting, schools. I mean, you name it - had an incredible time. And once I was done with my active-duty time, I decided to get out and join the civilian world, became another civil engineer as a project manager. I built the two runways down at the San Jose airport and then decided I needed a little bit more. And so I went to UC Berkeley, which is about the opposite of Texas A&M, and got my master's and Ph.D. in engineering seismology. 

Dave Bittner: Now, on your way up - I mean, I'm thinking particularly in the Navy as an engineer - were there any particular challenges that you faced being a woman in a male-dominated field? 

Jenn Donahue: Absolutely. Back in the '90s, they started to allow women into more combat positions. And so I was one of the very first female officers that joined the Naval Mobile Construction Battalions. There was only three of us female officers in a sea of, you know, what was a boys club since 1942. And that had a lot of challenges with it because there were so many ingrained psyche, you know, as far as, like, you know, the way things that, you know, are supposed to be done. And then you start to introduce females into it, and it was - you know, it sort of broke for a couple years, and it was really difficult. Being an engineer and just sort of the way that I was - I grew up on a street with all guys, you know, climbing trees and jumping fences - it wasn't as tough for me as some of the other females that hadn't had that experience, where they were around guys all the time. And so you did see some sexual harassment, and they just really got kind of picked on. And that was one of the things that was really hard, but there was a lot of others that were really supportive of us and being there. And those are the people that you really try to align with as much as possible to really try to help you out. 

Dave Bittner: You know, similarly, in cybersecurity, it's an ongoing challenge to attract young women and women who are thinking of changing careers to the industry, because historically, I think it's fair to say that it's been considered a bit of a boys club. We made a lot of progress along the way, but there's still plenty of work to be done. And I'm curious what your insights are on, you know, what you think are effective ways to welcome women into the field. 

Jenn Donahue: I think that there's twofold. So one of them is the recruiting piece, and then the other one is the retaining piece. And so on the recruiting piece, I think that's where - I think we all need to do a better job of looking at women who have that fire and that drive that you can just see is like, this is someone who really wants to excel, you know, no matter what, and really look to try to recruit those types of folks, because those are the ones that are really going to try to stick around and make a difference. And then for the ones that are already in, I think it's really incumbent upon us to look down in the field and try to find others that we can reach out a hand and try to help them up. You know, do what we can to mentor them. I mean, mentoring is so important. You know, as a young engineer, man, I never had a mentor. I was a wild little thing running around. And if I had a mentor, it probably would've been a whole lot easier. 


Jenn Donahue: Wouldn't have made as many mistakes as I did. But now that I look at it, I feel like that's one of my purposes, is I need to find others that I can help mentor so that maybe they have it a little bit easier than what I did. 

Dave Bittner: What do you hear from the young women coming up, when they discover that there are folks like you out there who want to lend that hand, who want to reach out and nurture them on the way up? 

Jenn Donahue: I think it's a revelation. But at the same time, I'm noticing - because I used to teach at UC Berkeley for a couple semesters. They were enthralled by the fact that they actually had a female professor. And one of my good friends is there now. She took my place whenever I moved up to Oregon. But she has so many young women coming into her office all the day - all day saying, wow, I see that you did it. I can do this, too. And that's the type of momentum that we need to have. And so it's so important to recognize that there are some women out there that would really like to be mentored. And I would say, you know, being a female and as a position of leadership, I think that that's something that we should do. But I think it's also incumbent upon the men as well, because men usually have more of a position of power, you know, for them to be able to sponsor somebody and bring them up. 

Dave Bittner: That's Jenn Donahue. She's president of JL Donahue Engineering. 

Dave Bittner: And joining me once again is Dinah Davis. She's the VP of R&D operations at Arctic Wolf. Dinah, it's always great to have you back. We wanted to touch base today about Operation Ironside, which in itself, you know, sounds like an old TV show that my parents watched. But beyond that, I think there's more to it. Can you unpack it for us? What are we talking about here today? 

Dinah Davis: Yeah, I think, like, Operation Ironside is, like, the whole reason a lot of people get into cybersecurity. It's just the coolest part. And you just know, one day this is going to be some cool movie. And you can already start imagining, like, who is playing what character, right? 

Dave Bittner: Right. 

Dinah Davis: So Operation Ironside is something that was run by the FBI and the Australian Federal Police. So I'm just going to call that AFP going forward because that's just long. 

Dave Bittner: Fair enough. 

Dinah Davis: So in 2018, they took down a secure chat app called Phantom Secure. And they went out for beers after. This is the story that I heard. They went out for beers after, some of the FBI guys, some of the AFP guys. And they were kind of, like, joking that, like, wouldn't this be a great time to fill the void in the market for a secure chat app? 

Dave Bittner: We could do that. My parents have a barn, right? I have a piano. 


Dinah Davis: Right. 

Dave Bittner: Right. 

Dinah Davis: Yeah. OK, let's do it. 

Dave Bittner: (Laughter). 

Dinah Davis: So then, like, an FBI guy goes, well, actually we have a guy that we're using as an informant, and he actually has an app like this. Maybe we could write some backdoors into it. Yeah, that's what they actually did. So this informant gave them access to this new tool called ANOM. And the idea was to get it into the hands of criminals, and all the data would be sent back to the FBI and the AFP. 

Dave Bittner: Right. So I'm a bad guy and I figure that I need a secure way to communicate with my partners in crime. And word on the street from other folks in similar lines of business is that this ANOM app is secure and a great way to do that. 

Dinah Davis: Yes, exactly. That's exactly it. 

Dave Bittner: And then meanwhile (laughter), behind the scenes... 

Dinah Davis: Everything is being recorded. 

Dinah Davis: Wow. 

Dinah Davis: Every single message is going back to the FBI and the AFP - every single one. 

Dave Bittner: What do you make of this? I mean, when I heard this story, part of me thought to myself, is there anybody I can trust? Like, you know, does this mean I can't trust apps like Signal, you know? Like, do you have any thoughts along those lines? 

Dinah Davis: Yeah, it totally makes you think twice about things. Right? 

Dave Bittner: Yeah. 

Dinah Davis: And I do think it is going to erode trust in those types of things. Now, I would say apps like Signal have a much more - like, they're widely used. They're marketed. They're on the legal market. They're going to want to prove that they don't have back doors - right? - whereas this was, you know, clandestine. In fact, one of the cool parts about it for me was how you actually get into the app. So you actually buy this as a whole phone. Like, it's a burner phone that you buy. And the only apps that look to be on there is, like, your text messaging and calculator. And to get into the app, you would actually type, like, a password number into the calculator app and then that would open it. 

Dave Bittner: (Laughter). 

Dinah Davis: So, like, it was really thought out well because if they gave these phones - like, let's say you got arrested and law enforcement took your phone, they would just look at it and go, oh, it's just a burner phone with a calculator app on it. Nothing's there, right? 

Dave Bittner: Right. 

Dinah Davis: So these criminals really thought they were talking across super secure communications, and that meant that they didn't, like, use any codes at all, like, any coded words or anything. They really just said everything. 

Dave Bittner: And eventually, what - how did this become public knowledge? What - how did the cat get out of the bag? 

Dinah Davis: Yeah. So actually, somebody on - this became really, really big in biker gangs in Australia and then other organized crime around the world. And they actually had a security expert on their side, and they noticed that the traffic was going to the U.S. - like, all the traffic. And they thought, this is kind of bad. So I think from there, the AFP and FBI thought, our gig might be up here, so we better just drop the hammer. And they made 224 arrests on more than over 500 charges just in Australia alone, and they seized 3.7 metric tons of drugs and $35 million in cash. And they even said that they would probably notice a drop in crystal meth in the sewage systems in Australia because of this hit. 

Dave Bittner: Wow. That's amazing. 

Dinah Davis: Yeah, yeah. 

Dave Bittner: (Laughter) All right. Well, I mean, I guess, you know, hats off to the FBI and their partners in Australia for having the vision to conceive of this and then see it through, right? Sounds like it was a big success. 

Dinah Davis: Yeah, it's pretty cool - can't wait to see the movie. 

Dave Bittner: Yeah (laughter). Yeah, I don't know. Maybe we can get Tom Cruise, Tom Hanks. I don't know who would be the best star... 

Dinah Davis: I don't know. 

Dave Bittner: ...Any of those guys could. Denzel Washington - he'd be great, too, yeah. 

Dinah Davis: Yeah, that'd be a good one. 

Dave Bittner: All right (laughter). Dinah Davis, thanks for joining us. 

Dinah Davis: No problem. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.