The CyberWire Daily Podcast 12.3.21
Ep 1471 | 12.3.21

Espionage phishbait in South and Southwest Asia. A utility recovers from a cyber incident. GAO tells the US Congress cyber strategy is wanting. Investigations, Moscow and Missouri style.


Dave Bittner: A Pakistani APT is phishing for information in both India and Afghanistan. A Colorado electrical utility continues to recover from a cyber incident it sustained early last month. The GAO tells the U.S. Congress that the nation still lacks a comprehensive cybersecurity strategy. The Missouri Highway Patrol continues, for some reason, to investigate a responsible disclosure as a criminal hack. Dinah Davis from Arctic Wolf on hackers targeting Minecraft. Our guest is Blake Darche from Area 1 Security with research on phishing. And it appears Moscow thinks a Group-IB leader outed Fancy Bear to the U.S.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 3, 2021. 

Dave Bittner: Security firm Malwarebytes has released additional information on SideCopy, a Pakistani APT that Facebook last month had identified as prospecting personnel of the former, pre-Taliban government of Afghanistan with romantic lures. SideCopy used new variants of the Stealer data theft tool, and the information it collected included access to government portals, Facebook, Twitter and Google credentials, banking information and password-protected documents. In addition to Afghanistan, SideCopy seems mostly interested in collecting against India. 

Dave Bittner: Some of the new infection vectors SideCopy is using include malicious Microsoft Publisher documents and Trojanized applications. The hook is commonly embedded in an archive file. The phishbait itself tends to fall into two broad categories. 

Dave Bittner: The first of these Malwarebytes calls targeted lures - that is, bait designed to attract the eye of specific victims. The company's researchers say, quote, "we believe this category is very well customized to target government or military officials," end quote. This variety of phishbait consists of reports on military and intelligence activities, including documents that describe various aspects of military education. 

Dave Bittner: The second kind of lure Malwarebytes calls generic, adapted to use in the broad net of a spam campaign. These are, for the most part, either pictures of young women or resumes that purport to record young women's careers. 

Dave Bittner: The name SideCopy is derivative, a coinage intended to suggest the way in which SideCopy's infection chain appears to be trying to imitate the one used by the SideWinder APT. SideWinder, by the way, is a suspected Indian APT noted for its focus on South Asian targets, which suggests that SideCopy may be waving a false flag small enough that it might be better described as a false fig leaf. 

Dave Bittner: SideCopy itself seems to have some other significant similarities with Transparent Tribe. And if you're filling out your APT scorecards org chart, consider penciling them in as a Transparent Tribe subunit. Malwarebytes points out that Cisco Talos and Seqrite both have good background material on SideCopy, a recommendation we'll happily second. 

Dave Bittner: ZDNet reports that Delta-Montrose Electric Association, DMEA, which operates in the U.S. state of Colorado, continues to work toward recovery of systems affected by an unspecified cyber incident the company detected in early November. Delta-Montrose's CEO published a letter to the cooperative's members this Monday in which she explained, quote, "on November 7, 2021, we discovered a targeted effort to access portions of our internal network system by an unauthorized party. This resulted in multiple days of downtime for DMEA's internal network. We could not access or operate certain systems, such as phone, email and payment processing," end quote. 

Dave Bittner: The cooperative doesn't call the incident a ransomware attack, but it sounds like it. Delta-Montrose's live update page describes the episode as follows. Quote, "DMEA lost 90% of internal network functions, and a good portion of our data, such as saved documents, spreadsheets and forms, was corrupted. It also impacted our phones and emails. Our power grid and fiber network remain unaffected by the incident," end quote. 

Dave Bittner: The incident seems to have affected billing most severely, and the cooperative thinks it may be able to restore payment services to its kiosks by Monday but that in any case, it will suspend any penalties or disconnections until January 31, at least. 

Dave Bittner: The update page says that a forensic inspection of the co-op's networks has convinced it that no sensitive data were compromised. Quote, "immediately following the incident, DMEA retained forensic experts to perform an investigation. The forensic team confirmed that there was no breach of sensitive data within our network environment. We always encourage all members to follow best practices for password security, including using two-factor authentication whenever possible," end quote. 

Dave Bittner: A report the U.S. Government Accountability Office delivered to Congress yesterday makes the case that U.S. critical infrastructure remains at serious risk from cyberattacks. The report calls out what it sees as a lack of a comprehensive cybersecurity strategy and concludes, quote, "the federal government needs to move with a greater sense of urgency in response to the serious cybersecurity threats faced by the nation and its critical infrastructure," end quote. 

Dave Bittner: The St. Louis Post-Dispatch has published an update concerning the discreditable episode in which the governor of the U.S. state of Missouri denounced one of the paper's reporters as a criminal hacker for disclosing the discovery of an exposed database to the Department of Elementary and Secondary Education. Apparently, the department had prepared a statement thanking the reporter for bringing the matter to their attention, but that statement was preempted the following day by the governor's call for prosecution. 

Dave Bittner: The Post-Dispatch writes that it obtained an email under Missouri Sunshine Laws that gave the Department of Elementary and Secondary Education's first proposed public response. Quote, "in an October 12 email to officials in Governor Mike Parson's office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered. 'We are grateful to the member of the media who brought this to the state's attention,' said a proposed quote from Education Commissioner Margie Vandeven," end quote. 

Dave Bittner: That, of course, was not the way the governor decided to frame the incident. At a news conference he held on October 14, after the story ran, Governor Parson said, quote, "we will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet's political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them," end quote. 

Dave Bittner: The report also provides additional grounds for thinking DESE simply had a misconfigured database readily discoverable from the internet, that the reporter hacked nothing and that, indeed, there was no network intrusion. The Post-Dispatch didn't run the story until October 14, after it had notified DESE and after the department had taken steps to secure the data. 

Dave Bittner: The governor's office has apparently continued to double down on its claim that the reporting was politically motivated criminal hacking. In any case, as of yesterday, the Post-Dispatch writes the Missouri Highway Patrol still had an open investigation into the case. 

Dave Bittner: The CyberWire contacted the governor's office in October about the incident but has not received a response. 

Dave Bittner: Bloomberg Businessweek describes the ongoing Russian treason prosecution of Group-IB executive Ilya Sachkov. The Kremlin believes him responsible for tipping the U.S. off to Fancy Bear's activities around U.S. elections. Details of the charges are state secrets, but three sources have told Bloomberg that Sachkov provided information to the U.S. that enabled them to identify the GRU operators responsible for Fancy Bear's attempts to meddle with the 2016 U.S. presidential election. 

Dave Bittner: Group-IB, whose headquarters moved from Moscow to Singapore in 2019 as the company sought to develop an international practice, has cultivated relationships with a number of non-Russian law enforcement operations. It's now in a position of being mistrusted by Russia while not being fully trusted by the U.S., Bloomberg Businessweek reports. 

Dave Bittner: There's also, the report says, the possibility of some guilt by association. Quote, "a central figure is Sergei Mikhailov, 47, a former senior official with the Federal Security Service, or FSB - the main domestic successor to the Soviet-era KGB - who led investigations into cybercriminals in Russia. Mikhailov was arrested in Moscow in December 2016, one month after the U.S. presidential election, and charged with treason. He was convicted in 2019 and sentenced to 22 years in prison after a trial in which Sachkov was a key witness for the prosecution, according to Mikhailov's defense team, which has accused Sachkov of providing false testimony," end quote. 

Dave Bittner: So much for turning state's evidence. Sachkov faces up to 20 years in a labor camp, should he be convicted. He has from the outset denied the charges and says he provided no secret information to foreign intelligence services. 

Dave Bittner: The folks at Area 1 Security recently released a study titled "It Started Out With a Phish," highlighting the serious potential impact of business email compromise. Blake Darche is co-founder and chief security officer at Area 1 Security. 

Blake Darche: I think one of the top things there is, you know, supply chain compromises where we see an organization have a variety of partners, one of those partners gets compromised, and then that partner is used to try to hack into your system. Or they might be used to try to impersonate you - impersonate that vendor or partner to your organization in order to move money fraudulently. 

Blake Darche: So there's a lot of different supply chain weaknesses that we see out there, and I think the supply chain problem is only growing in magnitude as more and more organizations adopt a digital transformation as part of, you know, COVID-19 and just general IT trends. There's more and more attack surface for attackers to hit. And we see that on a continual basis. 

Blake Darche: I think Microsoft SharePoint's a great example, where Microsoft, you know, pretty much has lost full control of Microsoft SharePoint. And Microsoft SharePoint and Microsoft OneDrive are two of the top attack vectors today on the internet, and Microsoft is almost powerless to stop it. And it's a real problem. 

Blake Darche: There was a recent case where someone on Twitter that was a former Microsoft employee was critiquing Microsoft for actually just turning a blind eye to the problem because so many organizations running Office 365 have been compromised that they were all hosting ransomware now, and people were getting hit with ransomware at these different organizations due to one organization's misconfiguration. 

Blake Darche: So I think there's a wide variety of attacks and a wide variety of pieces of cloud infrastructure that facilitate those attacks. 

Dave Bittner: Are there any areas of this that you feel aren't getting the attention they deserve? Are there elements to this that are being ignored? 

Blake Darche: I think by and large, BEC attacks do not get the attention they deserve because they're very difficult to kind of quantify, if that makes sense - much more so than APT attacks, where a hacker came in, took over an organization and stole a bunch of data. People can wrap their head around people stealing a bunch of data and trying to steal source code. 

Blake Darche: But I think in terms of just the day-to-day grind when you have - you know, you might get two or three BEC attacks a week, where someone's trying to move, you know, $50,000, $30,000, $100,000, and then another week, it's $50 million. It's just continual, if you know what I mean. And people are really underestimating the number of BEC attacks there are. By our estimation - we were comparing against some FBI reporting - we think BEC attacks are underestimated by over 90%. 

Dave Bittner: So, I mean, given that, what are your recommendations, then? I mean, how should organizations best protect themselves against this? 

Blake Darche: I think people need to - organizations need to take advantage of, you know, next-generation anti-phishing technologies to look for, you know, inconsistencies in behavior, in language, in the way an attack is written. You know, there's several different companies out there that can help in this space. 

Blake Darche: They also need to be very mindful of, you know, the email attacks that might lead to a voice-style phishing attack where the user might try to authenticate you on the phone with a - you know, one of these fake impersonation generators where it'll mask and make it seem like your voice is someone else's. 

Blake Darche: And I think, you know, you need to be mindful of all these things. You need to add, you know, really, defense in depth. It's kind of like peeling back the onion. You can never have too many layers of security. 

Dave Bittner: How do you balance that, though, you know, without having too much friction for your users? 

Blake Darche: I think a lot of good security solutions don't impact users on a continual basis, right? And they should be kind of more transparently in the background, right? And the more the user is being kind of, like, impacted on a minute-to-minute basis on everything they do, you know, the less functional that security actually is. In a perfect world, you know, you just do not want to have to be impacting your users that much. 

Blake Darche: I think the most famous example of, you know, user impact is two-factor authentication, right? 

Dave Bittner: Right. 

Blake Darche: You know, it's a real pain. Everyone needs to do it. But at the end of the day, without two-factor authentication, you know, that's a real vector that gets an account's, you know, password guessed, basically, with a brute force attack. 

Dave Bittner: Yeah. I mean, it's an interesting thing. You know, I find myself personally, on those occasions when I'm, you know, banging my head against the desk because I'm in some sort of two-factor authentication rathole, I just remind - take a deep breath and remind myself, this is for security; this is for security. You know? 

Blake Darche: Yeah, I agree with you. I mean, I run into the same challenge where, you know, it's like, oh, there's two - I have to two-factor authenticate to something. Like, my phone's out of power or... 

Dave Bittner: Right. 

Blake Darche: ...My key is somewhere else. And I'm like, oh. 

Dave Bittner: Yeah. 

Blake Darche: Why now? You know what I mean? 

Dave Bittner: Right. 

Blake Darche: And it's always when you don't want to do it, right? So, like, you're trying to finish something easy up, then it's like, no, it's time to re-authenticate right now. You're like, seriously? 

Dave Bittner: Right. 

Blake Darche: Right now? 

Dave Bittner: Yeah. 

Blake Darche: Every single time. 

Dave Bittner: No, my old college roommate swore that all electronic devices come equipped with a critical-need sensor so they know when you need them most, and that's when they decide to fail. 

Blake Darche: I would agree with your college roommate, for sure. 

Dave Bittner: That's Blake Darche from Area 1 Security. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf and also the founder and editor-in-chief at Code Like A Girl. Dinah, always great to have you back. 

Dave Bittner: You know, my two sons have - and particularly my older boy was very, very active in the Minecraft world, spent - spends - and continues to spend a lot of time there. And lately, there have been some hackers who've been going after Minecraft. What's the latest there, Dinah? 

Dinah Davis: Yeah, this headline got me right away. So I was scrolling through the headlines, and I saw this, like, headline that's like, "Ransomware Targeting Minecraft." And I'm like Minecraft - they're children. What are they - what are you encrypting, their, like - their cool house they built, their - the farm? What's going on? 

Dave Bittner: And? 

Dinah Davis: Well, OK. So they're not actually going after kids. So there's this subculture with Minecraft that I wasn't aware of, which is there's these things called alt lists, and they, I guess, have stolen Minecraft accounts - right? - so usernames and passwords of stolen Minecraft accounts. And people go and buy those so that they can go and do untoward things on Minecraft that would get them banned. So they can go bully people. They can go do things like that, right? 

Dave Bittner: Oh. 

Dinah Davis: And so the hackers are actually targeting those alt lists. So when somebody downloads one of those, they think they've purchased an alt list where they're going to get, you know, extra free accounts on Minecraft, and then what they're actually getting is, you know, ransomware. So as soon as they, you know, open that file up, then their whole system gets encrypted. 

Dave Bittner: Oh. 

Dinah Davis: So, like, the question is, are they - are the ransomware people helping us - like, getting people to stop buying the alt lists? 

Dave Bittner: (Laughter) I was - yeah. Right. I was thinking the same thing. Like, who's the victim here? Or, you know - like, or, I guess, how much empathy should we have for people getting their hands slapped when they're out to do something bad to begin with? I'm not sure. 

Dinah Davis: On a platform that's mostly children. 

Dave Bittner: Yeah. 

Dinah Davis: Yeah. 

Dave Bittner: That's true. Two wrongs don't make a right. 

Dinah Davis: But, like, think about the mess that would be, like, if your son did that - oh, my God - and he didn't know, like, what - you know, what an alt list was or something, downloaded it, and now all of your stuff is encrypted - brutal. 

Dave Bittner: On the home computer - right? - the family computer. 

Dinah Davis: Yeah, on the home computer, exactly. 

Dave Bittner: Yeah. I mean, it's a great point. And I guess - what? - the take-home here is that if you have someone in your life who's playing Minecraft, you might want to drop this information to them in case they may be - I don't know - thinking of dabbling in some of these alt lists. 

Dinah Davis: Yeah, yeah. I think that's about all you can do. 

Dave Bittner: Yeah. All right, interesting stuff. Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: Be sure to tune in to this weekend's "Research Saturday" and my conversation with Christo Butcher from NCC Group's Research and Intelligence Fusion Team. We're discussing their research into a cybercriminal group they call SnapMC. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.