The CyberWire Daily Podcast 8.2.21
Ep 1387 | 8.2.21

SVR was reading the US Attorneys’ emails. Deliveries still lag as South African ports reopen. EA hackers dump game source code. Another look at criminal markets. And Mr. Hushpuppi cops a plea.


Dave Bittner: The SVR may have compromised 27 U.S. attorneys' offices. Ransomware disruptions of a physical supply chain continue as South African ports reopen. The EA hackers give up and dump the source code they stole. Double extortion may not be paying off. A look at initial access brokers. Operation Top Dog yields indictments in an international fraud case. Rick Howard tackles enterprise backup strategies. Kevin Magee from Microsoft has lessons learned hiring multiple team members during COVID. And a decryptor for Prometheus ransomware is released.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 2, 2021. 

Dave Bittner: The SolarWinds campaign successfully hit accounts in 27 U.S. attorneys' offices, the U.S. Department of Justice said late Friday. Among the offices most affected were the eastern, northern, southern and western districts of New York, where 80% of employees' Office360 accounts were compromised. Why those districts were particularly affected is unclear, and Justice didn't elaborate on the reasons. 

Dave Bittner: As is now well-known, the U.S. has attributed the SolarWinds campaign to Russia's SVR Foreign Intelligence Service. The Justice Department said, quote, "the compromised data included all sent, received and stored emails and attachments found within those accounts during that time," end quote. Specifics of the damage done remain a matter of speculation, with several discussions of the possibility that, for example, information about confidential informants could have been compromised. 

Dave Bittner: The Justice Department is acting on the basis of worst-case assumptions. Their announcement said, quote, "the department is responding to this incident as if the Advanced Persistent Threat group responsible for the SolarWinds breach had access to all email communications and attachments found within the compromised O365 accounts. The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020. The compromised data included all sent, received and stored emails and attachments found within those accounts during that time," end quote. 

Dave Bittner: It was, of course, email accounts that were compromised. And the BBC, citing conversations with former prosecutors, said that U.S. attorneys' personnel commit a great deal of sensitive material to email. USA Today quotes a former prosecutor as saying, quote, "I don't remember ever having someone bring me a document instead of emailing it to me because of security concerns," end quote, with the exception of certain classified material. 

Dave Bittner: Although Transnet's recovery from the ransomware attack it sustained is well underway and port services in South Africa have returned, the cyberattack effects continue to linger in the supply chain. Asiafruit reports that deliveries of fresh produce have been significantly disrupted, and Automotive Logistics finds similar stresses in auto parts shipments. 

Dave Bittner: The Record reports that extortionists who hit Electronic Arts last month failed to either get the game-maker to pay ransom or to find third parties willing to buy the files they stole during their attack. Last week they dumped some 751 gigabytes of compressed EA data onto an underground forum from where the data have been circulated to various torrent streams - data which includes game source code mostly. No customer data appear to have been at risk. The source code leaked includes the widely played and popular FIFA 21 soccer game. 

Dave Bittner: The hackers seem to have misjudged their market. The attack came to light on June 10, when those who claimed responsibility for the incident posted a note in an underworld market announcing that they were in possession of EA data which a buyer could have for $28 million. No one apparently bit. Giving up on finding a buyer, the criminals then contacted EA with an offer not to publish the stolen data. EA wasn't interested, either, so the thieves gave up and simply dumped the code online. 

Dave Bittner: Looking elsewhere in the criminal marketplace, security firm Recorded Future also thinks it sees a decline in double extortion from the highs it reached in December. Double extortion, of course, is encryption to render data unavailable and threats to release the data if not paid. It may be that this second threat isn't really paying off for them. 

Dave Bittner: Recorded Future's Allan Liska said, quote, "ransomware actors came up with this whole system that they thought would encourage people to pay, and us researchers and journalists lapped it up and said it made perfect sense. But we've seen over time that companies don't really suffer consequences if their data winds up on extortion sites. Ransomware actors aren't always the psychological geniuses we think they are," end quote. 

Dave Bittner: IT Pro speculated recently that there may be signs the ransomware operators were growing a conscience. This seems wildly and unreasonably optimistic to us, but the criminal market has shifted. 

Dave Bittner: With BlackMatter apparently picking up where DarkSide and REvil left off and DoppelPaymer rebranded as Grief, the criminal-to-criminal market remains lively. Security firm KELA has been tracking the recent fortunes of initial access brokers in this hot subsector of crime. Their report on initial access brokers, released this morning, discerns five trends in this criminal-to-criminal market. 

Dave Bittner: First, the pricing of initial access is based on the size of the company compromised and the level of privilege the broker has achieved within the network. Quote, "the average price for network access during July 2020 through June 2021 was $5,400, while the median price was $1,000. Twenty-five percent of the listings posted for sale were confirmed to be sold by initial access brokers." 

Dave Bittner: Second, there's a growing diversification in the kinds of access being hawked. KELA says, quote, "the term network access is very loosely defined. Threat actors use it to describe multiple different vectors, permission levels and entry points," end quote. RDP and VPN access remain the most common offerings. Some of the newer attack vectors being sold seem to represent me-tooism, in which criminals follow the trail blazed by intelligence services in such compromises as those that afflicted SolarWinds and Kaseya. 

Dave Bittner: And third, it appears that some of the more successful initial access brokers are becoming quiet. But this doesn't mean they're fading away or going to ground. Quote, "it doesn't necessarily mean that initial access brokers suspended their activity. Rather, KELA concluded that the decrease is due to the fact that IABs simply moved part of the deals to private correspondence with middlemen or ransomware affiliates in an effort to avoid detection from researchers and law enforcement agencies," end quote. 

Dave Bittner: The fourth trend KELA calls a growth in professional ethics. That is, there seems to be a tendency for some of the brokers to avoid selling access to, for example, health care organizations. KELA says, quote, "as some ransomware gangs such as DarkSide promise not to target certain sectors, new ethics seem to be established among actors participating in the ransomware-as-a-service economy. Depending on the gangs, they were seen forbidding their affiliates to attack health care, government, education and nonprofit sectors to not cause damage to patients, students, citizens and other categories of people. The ransomware gang seemed to pass a message. They hunt only companies and aim only for financial gain," end quote. 

Dave Bittner: We would hesitate to call this ethics, especially since we've seen how readily such resolutions of good behavior were abandoned by the cited ransomware gangs where altruism and respect for the common good took a distinct backseat to the main chance. As KELA qualifies their conclusion, quote, "however, there are still no rules on this matter. Most of the brokers still sell all the accesses they were able to gain," end quote. 

Dave Bittner: One rule seems firm, however. Russian-speaking gangs don't hit Russian targets. We'll leave it as an exercise for the listener to speculate as to whether this represents patriotic compunction or simple self-preservation. 

Dave Bittner: And finally, some of the initial access brokers are seeking to monetize their wares in other ways, usually by engaging in some data theft or extortion on their own. The double extortion approach may be showing signs of being played out, but the brokers are new enough to the game, perhaps, to figure, well, why not? 

Dave Bittner: The U.S. Justice Department late last week announced the indictment of six people for attempting to defraud a businessman interested in establishing schools in Qatar. The amount the alleged crooks were allegedly after came to more than $1.1 million, a sum they subsequently intended to launder. 

Dave Bittner: That's interesting enough, but more interesting are the confession and guilty plea of Ramon Olorunwa Abbas, better known by his hacker name Ray Hushpuppi. Mr. Hushpuppi, a Nigerian national 37 years young, is alleged to have connived with a senior and much-decorated Nigerian police official in his crimes. The U.S. would very much like to see supercop Abba Alhaji Kyari, deputy commissioner for the Nigeria Police Force, answer for his alleged role in supporting a fraud ring that has operated globally. 

Dave Bittner: Nigerian authorities are looking into the conclusions the U.S. FBI has drawn in their Operation Top Dog, as the investigation is called, but The Washington Post reports those authorities aren't saying whether they've suspended Mr. Kyari. Mr. Kyari has denied any wrongdoing. 

Dave Bittner: And finally, bravo, CyCraft. The Record reports that the Taiwan-based security firm has released a decryptor for Prometheus ransomware. 

Dave Bittner: And it is always a pleasure - dare I say a thrill? - to welcome Rick Howard back to the show. He is the CyberWire's chief security officer and also our chief analyst. Rick, welcome back. 

Rick Howard: A thrill, you say. Man, oh, man. I love it. 

Dave Bittner: (Laughter) Maybe I shouldn't say that till we're done recording, right? I shouldn't... 

Rick Howard: Exactly (laughter). 

Dave Bittner: ...Shouldn't preload it. 

Dave Bittner: So on this week's "CSO Perspectives" podcast, you are continuing your discussion about resiliency, which is a first principle infosec strategy. Now, last week you talked about encryption, but this week you are talking about backup and restore operations, which is a key and essential piece to business continuity and disaster recovery planning. What can we expect this week, Rick? 

Rick Howard: Well, you're right, Dave. And it's funny. If you talk to any IT or security pro about disaster recovery, without fail, they all seem to have their own personal catastrophic recovery story, you know, where they had to wrestle with the gods of epic failure to reclaim some important piece of lost data. So my question to you is what's your disaster recovery story? 

Dave Bittner: Oh, man. I have a recent one. I was - I recently was updating my Mac to Big Sur, you know, the recent... 

Rick Howard: Yeah. 

Dave Bittner: ...OS. And I have - I had a Time Machine backup that was attached to the machine. And I also had a secondary backup. 

Rick Howard: Yes, you do, of course. 

Dave Bittner: Yeah. So - right. Belt and suspenders, right? 

Rick Howard: (Laughter). 

Dave Bittner: So I run my system upgrade, and this is the first time I'm upgrading to the new OS. It takes its time, as these things can happen. And it runs, and it runs, and it runs, and it runs. At the end when it's done, I get things up and running. I go to look to my backups, and they're gone. Everything's gone. 

Rick Howard: (Laughter). 

Dave Bittner: My Time Machine's gone. 

Rick Howard: Oh, no. 

Dave Bittner: My secondary backup is gone. It's just gone. It's just gone, Rick. It's all gone. It's all gone (laughter). 

Rick Howard: I remember when this was happening, and there was this black cloud hovering over the headquarters there, right? It's like, oh, no. 

Dave Bittner: It's the worst feeling in the world. 

Rick Howard: It really is. 

Dave Bittner: And, you know, shame on me for doing a system update and leaving those backups attached to the system, right? That is 100% on me. And I did that wrong. 

Rick Howard: Yeah. 

Dave Bittner: So - I mean, that's the story in a nutshell. Is this - does this ring a bell? Is this a familiar tale with you and your buddies? 

Rick Howard: It totally is. And I feel you, Dave, all right? 'Cause we've all been there, right? 

Dave Bittner: Yeah. Yeah. 

Rick Howard: And in this episode, I relay my own personal story where I just about lost 20 years of family data, all right? So I understand where you're coming from. 

Dave Bittner: Wow. 

Rick Howard: And all I can say is thank goodness for the Best Buy Geek Squad and their hard drive recovery services, right? So... 

Dave Bittner: (Laughter) Right. 

Rick Howard: (Laughter) So - but for this episode - OK? - I wanted to talk about enterprise backup and restore operations - all right? - in connection with our first principle strategies. You know, with ransomware having a moment right now, pursuing all of our first principle strategies - intrusion kill chain prevention, zero trust, risk assessment and resiliency - will greatly reduce the probability that a ransomware gang will have success against your organization. And you can't do resiliency without encryption and backups. 

Dave Bittner: All right. Well, fair enough. I will say I will be listening with great interest. 


Rick Howard: As we all do. 

Dave Bittner: With renewed interest, yeah. So it's "CSO Perspectives." It is part of CyberWire Pro. You can find out all about that on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He's the chief security officer at Microsoft Canada. Kevin, it is always great to have you back. You know, you and I were talking offline, and you mentioned that you have been going through a bit of a sprint when it comes to hiring. And I wanted to check in with you on that, just sort of lessons and insights that you have learned from going through that process. 

Kevin Magee: Hi, Dave. Thanks for having me back. It's a topic that's really near and dear to my heart. And I think as cybersecurity leaders, the most important thing we can do is make sure that we hire the right folks, we onboard the right folks and we develop them as security professionals. And that means really thinking differently. 

Kevin Magee: As we move into the pandemic, it became much more challenging to really connect with people and to find the right folks. But it also created a lot of opportunities to expand our thinking about where we could draw from talent pools not just in geographic locations because location didn't matter anymore when we all started to move to a lockdown perspective, but also just different backgrounds and different perspectives. And I think what's come out of this expansion during a time of a pandemic is I've really been able to grow a very diverse and strong team because of, really, the constraints that the overall pandemic imposed. 

Dave Bittner: When you say diverse, what do you mean? How - what was your approach to that? And what are the successes and challenges you've experienced? 

Kevin Magee: Well, we finally hit gender parity, for instance, on our team. We have an equal number of men and women on the team. And it was a big challenge to make sure that we did the right things and we brought the right talent into the process. 

Kevin Magee: So no one was ever given a role on our team because they represented a certain background or whatnot. Everyone competed. But making sure that everyone that we wanted to have a chance at the job really had that same equal playing field, and that meant making sure that we looked for not a fit for the team, but who could add to the team. We didn't look to screen out candidates. We looked to screen in candidates. What could they bring to the organization? What could they bring to the team that we didn't have? And that meant different backgrounds in terms of education, gender, stage of career and whatnot as well. 

Kevin Magee: So taking a very inclusive and open-mindset approach to hiring as opposed to screening people out, finding reasons why they shouldn't join the team was - made all the difference. It's much more time-consuming. It takes a lot more effort by the hiring manager. And it's ultimately, though, you know, the best thing you can do to really strengthen your team and make it much more effective. And I'm already beginning to see the results of all of this new talent, all this new perspective and all this new diversity we've brought to the team. 

Dave Bittner: What sort of results are you seeing? What does that lead to in terms of outcomes? 

Kevin Magee: Well, it can be everything from just having different people at different stages in career. So a great example - when someone brings up a new social media service or whatnot, I'm in my late 40s. I don't use a lot of these platforms or services. So having someone that's more familiar with those solutions and uses those solutions, you know, great opportunity to really tap that knowledge. 

Kevin Magee: The other thing I find - I now started to notice a lot of my biases. I came up the security chain in the network security world. So I always follow the packet. That's how I think about security. But in a cloud world with service applications, containers and whatnot, I find a lot of what I learned, all that 30 years of experience I have sometimes holds me back in really seeing the greater picture. 

Kevin Magee: And those biases need to be challenged. And we do that by adding people at a different stage of their career who grew up in the container age, who really don't know anything different. They have a different perspective. And allowing them to speak truth to power, to really feel empowered to offer their opinions and their ideas really makes a difference. And I'm quite surprised, really, at often how my 30 years of experience, which should be a reason to hire a security professional, can sometimes hold me back in terms of how I approach solving a problem. 

Dave Bittner: What about sort of, you know, geographic diversity? Did the pandemic open up the possibility for a broader range of candidates just being able to work remotely? 

Kevin Magee: Absolutely. I think we have, as an industry, this idea that you need to be part of a major city or, you know, accessible to an office. And what the pandemic really showed is that, you know, we can work from anywhere. And using all the tools we have available to us, as long as you have a high-speed internet connection and you have the right skill sets, you are a viable candidate now. 

Kevin Magee: And we've really doubled down on making sure that we are exploring folks outside of the major geographical areas. We now have people in cities and towns in areas of the country we would've probably not necessarily thought of. And it's not that we wouldn't want those people. It's maybe we didn't think to go there to find talent. 

Kevin Magee: So we have new team members in Prince Edward Island from Canada, in Nova Scotia, in Saskatchewan, some areas of untapped talent where we maybe not have looked before in the past. And we're uncovering incredible talent, skills and team members in these places. And they're now having the opportunity to live where they want, to raise their family in the communities maybe that they grew up in and whatnot without having to sacrifice a chance to have a great career at Microsoft. 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Kevin Magee: Thanks, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.