The CyberWire Daily Podcast 12.6.21
Ep 1472 | 12.6.21

Hot wallets hacked. Pegasus found in US State Department personnel’s phones. Cozy Bear update. Cybersecurity on the Russo-US summit agenda. US Cyber Command says it’s imposing costs.


Dave Bittner: A cryptocurrency exchange loses almost $200 million as two hot wallets are compromised. Phones belonging to U.S. State Department personnel concerned with Uganda are found to have been infected with NSO Group's Pegasus surveillance technology. Mandiant reports recent activity by the threat group thought responsible for the SolarWinds compromise. Cybersecurity will be on the agenda at tomorrow's Russo-U.S. summit. Caleb Barlow outlines threats to the Winter Olympics. Rick the Tool Man Howard looks at the marketing hype cycle. And U.S. Cyber Command says it's been imposing costs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 6, 2021. 

Dave Bittner: Altcoin exchange BitMart suspended deposits and withdrawals Saturday, the company's CEO tweeted, after the exchange identified a large-scale security breach affecting two of its hot wallets. BitMart attributes the incident to a stolen private key, and it hopes to gradually begin resuming normal trading tomorrow. 

Dave Bittner: Quote, "in response to this incident, BitMart has completed initial security checks and identified affected assets. This security breach was mainly caused by a stolen private key that had two of our hot wallets compromised. Other assets with BitMart are safe and unharmed. We are now doing our best to retrieve security setups and our operation. We need time to make proper arrangements, and your kind understanding during this period will be highly appreciated. In terms of asset deposit and withdrawals, we are confident that deposit and withdrawal functions will gradually begin in December 7, 2021. The detailed timelines will be announced very soon," end quote. 

Dave Bittner: The blockchain security firm PeckShield estimates total losses at about $196 million. They characterized the incident as pretty straightforward - transfer-out, swap and wash. BitMart's CEO says the exchange intends to compensate affected depositors from the company's own funds. He tweeted, quote, "BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions, such as token swaps. No user assets will be harmed," end quote. 

Dave Bittner: It's worth noting that the weekend's volatility in cryptocurrencies - and volatility means a turbulent drop in price - was not related to and still less caused by the BitMart incident. Market Insider noted that the weekend saw the global cryptocurrency space losing about $400 billion in value. The total market value of all tokens fell from over $2.6 trillion to under $2.2 trillion this morning. The price drop began Friday, before the BitMart incident occurred. In any case, the decline in the altcoin markets is being attributed to regulatory uncertainty and broader concerns about economic conditions and the so-far unknown effects of the omicron variant of COVID-19. 

Dave Bittner: Reuters reported Friday that the phones of U.S. State Department personnel in Uganda were infested with Pegasus surveillance software. NSO Group has said that Pegasus will not run on phones registered with the characteristic +1 U.S. country code, but the affected State Department personnel used phones registered with foreign country codes. It's unclear which customer deployed the tool in this incident. 

Dave Bittner: The Israeli Embassy in Washington said that, quote, "if these claims are true, it is a severe violation," end quote, of Israeli cyber export control law. The absolute numbers involved are relatively small, said to amount to 11 infestations, but targeting of U.S. diplomats is both new and troubling. 

Dave Bittner: NSO Group says it's investigating allegations of Pegasus abuse and that it intends to revoke the use of Pegasus by any customer it finds violated NSO Group's terms of service. What agency or organization deployed Pegasus against U.S. diplomatic personnel working in or around Uganda is unclear. There are no immediate reports of evidence linking the infestation to Uganda's government, for example, but investigation remains in its earlier stages. 

Dave Bittner: The company itself may have its suspicions. It says it hasn't yet confirmed that its tools were in fact used, but it has, in recognition of how serious the allegations are, decided to terminate relevant customers' access to the system. Those relevant customers aren’t specified. NSO Group also promises to cooperate with official investigations. SecurityWeek quotes the company as saying, "on top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have," end quote. 

Dave Bittner: The news is generally regarded as being very bad for NSO Group, which is in debt and under pressure, Vox reports. And the patience of important governments is likely to be nearing exhaustion. The U.S. some weeks ago placed NSO Group on the Commerce Department’s Entity List, a set of sanctioned organizations. A Haaretz analysis concludes that Jerusalem is unlikely to carry NSO Group's water in this case and that the incident might represent a death knell for the company. 

Dave Bittner: Threat intelligence researchers at security firm Mandiant this morning released a report on what the company calls multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. They’re tracking two clusters in particular - UNC3004 and UNC2652 - both of which they associate with UNC2452, the Russian government actor Microsoft calls Nobelium. The SolarWinds supply chain compromise and exploitation has been widely attributed to this group, which itself is thought to be an operation of Russia’s SVR foreign intelligence service. 

Dave Bittner: Mandiant calls out seven characteristics of this recent activity as being particularly noteworthy. First, compromise of multiple technology solutions, services and reseller companies since 2020; the use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations; use of accounts with application impersonation privileges to harvest sensitive mail data since Quarter 1 of 2021; the use of both residential IP proxy services and newly provisioned geolocated infrastructure to communicate with compromised victims; the use of novel TTPs to bypass security restrictions within environments including, but not limited to, the extraction of virtual machines to determine internal routing configurations; the use of a new bespoke downloader they call CEELOADER; and finally, abuse of multifactor authentication leveraging push notifications on smartphones. 

Dave Bittner: Mandiant’s attribution is tentative and cautious, but they think that the group responsible for the recent activity is well-resourced, effective, follows sound opsec and, above all, is likely to be heard from again. 

Dave Bittner: A video call scheduled for tomorrow between Russian President Putin and U.S. President Biden will take up, among other topics, cybersecurity issues, the White House announced Saturday. Tensions over Ukraine will figure prominently in the discussion. 

Dave Bittner: Russia has dismissed U.S. complaints of aggression with a tu quoque - essentially, you want to see aggression, America, look in the mirror. But of course, the U.S. hasn’t recently massed 170,000 troops on anyone’s border. Although there is this week’s upcoming Summit of Democracies to which Moscow was not invited, and that’s about the same thing as 10-odd division-equivalents, right? Right? 

Dave Bittner: But seriously, the tension between Russia and Ukraine is serious and potentially dangerous, as Ukraine seeks closer ties with both NATO and the EU, both of which Russia regards as a dangerous encroachment on its sphere of influence. With such tension, one expects an increased tempo of cyber operations as well. 

Dave Bittner: It’s been known for some time that U.S. Cyber Command has adopted a more assertive posture with respect to threat actors. On Saturday, General Paul Nakasone, Director NSA and Commander of U.S. Cyber Command, confirmed that this was indeed the case and specifically so with respect to ransomware actors. What Cyber Command had actually done the general didn’t specify, but he did stress that it had imposed costs on some of those actors. 

Dave Bittner: The New York Times quoted him as saying, "before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs. That’s an important piece that we should always be mindful of," end quote. To everyone at Cyber Command, we say good hunting. 

Dave Bittner: And it is my pleasure to welcome back to the show, the CyberWire's own chief security officer and chief analyst, Rick Howard. Rick, great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So on this week's "CSO Perspectives" podcast, you have invited a guest to the CyberWire Hash Table to discuss a tool in your Rick the Toolman series. What are we talking about this week? 

Rick Howard: That's right. Last week, we talked about a relatively new tool designed for the security stack. It's called XDR, or extended detection and response. You remember when we talked about them. 

Dave Bittner: Yeah, yeah. 

Rick Howard: And we started seeing these things in the marketplace around 2018. And when I was looking through the research, one investigator's name kept coming up in the literature. His name is Jon Oltsik. He is the senior principal analyst and fellow at the Enterprise Security Group. And he covers security, operations, analytics and risk management. And it just so happens that I've known Jon for years, right? So... 


Dave Bittner: Of course you have. 

Rick Howard: Of course. Right. You know, he was one of the original Cybersecurity Committee members back some seven years ago. So I thought he would be perfect for this Rick the Toolman episode. 

Dave Bittner: Yeah. Well, my recollection from last week's episode is that XDR is really just starting its journey into maturity. 

Rick Howard: Yeah, yeah. 

Dave Bittner: It's still early days for that. You said that Gartner has it right at the beginning of their hype cycle chart. But... 

Rick Howard: Yeah, yeah. 


Rick Howard: Which I love, by the way. Yeah. 

Dave Bittner: Yeah. I also remember that you had high hopes for it as a security orchestration platform. Now, does your thoughts align with Jon's on this, or does he disagree with you? 

Rick Howard: Well, you know, I wouldn't say we disagree - right? - though we are both old and cynical security practitioners at this point. So Jon agrees with me that XDR has a lot of promise in theory, OK? But he also knows what happens when vendors incorporate the theory into their marketing papers. And, you know, we've seen many examples of that in the past decade. You know, just think of what marketing departments have done with promising tech like AI and machine learning and even zero-trust. And so when you think about all of that, you get a good sense of where Jon is coming from. 

Dave Bittner: Yeah, absolutely. I - personally, I find that fascinating and also frustrating, that you have these things that could be good things, but they get so overused that they just lead to everybody rolling their eyes about them, and it's not always justified. 

Rick Howard: I know. And it turns people off, right? Because, you know - and, you know, security people are notorious for this. It's either the perfect thing since sliced bread, or it's horrible. There's no middle ground, right? And so... 

Dave Bittner: Right. It's true. 


Rick Howard: So you get vendors to wrestle with all these terms, and it turns people off. And then all those great things like zero-trust, machine learning - these are all great things for us. And don't get turned off by them. 

Dave Bittner: Yeah. Yeah. All right. Well, we will look forward to this week's episode of "CSO Perspectives." That is part of CyberWire Pro. You can find out about that on our website, Rick Howard, great talking to you. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. Caleb, it's always great to have you back. You know, we are coming up on the Winter Olympics, which is always exciting, but with that comes folks who are out there to do bad things to the Olympics in the cyber domain. Where are we coming into this? I mean, when we look back on the history of this, I don't recall any major interruptions to any of the games, but that doesn't mean that the folks out there weren't doing a good job thwarting them. 

Caleb Barlow: Well, let's start with a little history lesson, Dave. You know, the opening ceremonies were interrupted in Korea in 2018 when a cyberattack took out internet access and telecasts, grounded broadcasters' drones and actually shut down the Olympic website, even preventing spectators from printing out their reservations and attending the open ceremony. So there were, believe it or not, a lot of empty seats. 

Caleb Barlow: Now, in the lead-up to the 2012 London Games, there was a loss of blueprints to the Olympic stadium building management system that were found on a hacker's computer. And nothing really happened with this, but it certainly, you know, raised everybody's hackles. 

Caleb Barlow: But probably the most interesting attack was in 2016 on the World Anti-Doping Agency, where records of athletes were accessed, publicly released, and most interestingly, Dave, they were changed in an effort to swing public sentiment about doping, representing one of the first and most significant instances of a data integrity attack that we've seen to date. 

Dave Bittner: Yeah. You know, and to me, that is a part of all this that really doesn't get mentioned perhaps as much as it deserves to be, which is this whole notion of data integrity that - we talk about, you know, people - wipers - getting their stuff wiped out or locked up with ransomware. But just knowing that your data is what it says it is, to me, that's a whole nother thing. And we rarely talk about that. 

Caleb Barlow: We do. And I - you know, I've said on this show many of times, I think one of the biggest things companies need to really start thinking about isn't what happens when your data gets locked up. What happens when somebody changes your data? You know, how do you verify that your data is integral? And if you have a data integrity event, do you have the run books to deal with it? Because it's a special class of problem. 

Caleb Barlow: But I think one of the reasons why we've seen this in the Olympics is, hey, not only do the Olympics bring out the best athletes, but they also typically bring out the best hackers, right? You have nation-states. You have activists. You have politics. All of this stuff is coming together in the soup. 

Caleb Barlow: And I don't think this year's Olympics are going to be any different. I mean, first of all, it's in Beijing, which would normally just be a big old red flag for spectators. But I guess the good news here, because of COVID, is international spectators aren't allowed because of COVID. So, you know, if you are traveling - let's say maybe you work for a broadcast agency or something - bring burner equipment, burner phones and not your corporate laptop. 

Caleb Barlow: But, you know - but even folks at home watching, you know, phishing attempts are always through the roof. I think listeners here know don't click on the link. Go directly to the news site. But I suspect if I was going to predict what we're going to see this year, I think we're going to see misinformation attempts and maybe disruption attempts. I mean, this is the venue of where these things would be most impactful. 

Dave Bittner: Yeah. I mean, you can certainly see the international publicity, the potential for embarrassment and those sorts of things. I mean, do you think the folks in China are up to the task here of defending themselves? 

Caleb Barlow: Well, I mean, the good news is coming out of Tokyo - I mean, Tokyo really didn't have much to say from a cybersecurity perspective, right? They did a really great job. So hopefully those organizing committees and those teams are really working together. 

Caleb Barlow: And, you know, hey, as much as the Chinese are good on offense, I'm sure they're probably pretty good on defense here, too. So, you know, we'll see if they're up to the task, and we'll see what happens. 

Dave Bittner: Yeah. Hope for the best, prepare for the worst, right? 

Caleb Barlow: Well, yeah. So Dave, what would be your Olympic event if you were an athlete? 

Dave Bittner: Oh, my goodness. 

Caleb Barlow: I mean, I'm not saying you're not an athlete, Dave. You're actually a pretty buff guy. 

Dave Bittner: (Laughter). 

Caleb Barlow: But what would be your sport? 

Dave Bittner: I could be the announcer (laughter). 

Caleb Barlow: I could see that. I could see that. 

Dave Bittner: You know, I have to say, I was - athletics were never a strong suit of me, but I was a fairly fast sprinter. So if there was anything that I showed any sort of biological proclivity for, it would be running a short distance in a short amount of time. So I guess that would be it. 

Caleb Barlow: But, Dave, it's the Winter Olympics, so you'd better start practicing the luge. 

Dave Bittner: Oh, my gosh. You're right - Winter Olympics. See, there's - there you go. I don't even know what the events are. I could ride a mean sled. I could do this luge. Sure, why not? 

Caleb Barlow: All right. All right. 

Dave Bittner: All right. Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.