The Russo-US summit is expected to take up tension over Ukraine and tensions in cyberspace. Microsoft disrupts APT15. Google disrupts Glupteba. Satoshi Nakamoto is...out there still?
Dave Bittner: Notes on today's Russo-America summit. Microsoft seizes websites used by the Chinese threat actor Nickel. Google takes technical and legal action against a Russian botnet. Ben Yelin unpacks Australia's aim to uncover online trolls. Our guest is Ed Amoroso from TAG Cyber. And the real Satoshi Nakamoto has yet to stand up. Just ask a Florida jury.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 7, 2021.
Dave Bittner: First, some quick, developing news. The AP reports that Amazon Web Services users are reporting outages in the service. There's no word yet on causes or remediation. The disruption began around noon. We'll be monitoring developments.
Dave Bittner: Now, on to the rest of the day's news. The Russo-American virtual summit is in progress, with the threat of Russian military action against Ukraine the principal topic under discussion. The principal U.S. leverage appears to be economic as opposed to military. Bloomberg reviews the range of sanctions available. The New York Times is running live updates on the meetings as details become available.
Dave Bittner: The Guardian reports that Latvia's foreign minister, Edgars Rinkevics, has warned NATO to prepare a swift response should Russia invade Ukraine - forward deployment of troops, cancellation of the Nord Stream 2 natural gas pipeline to Europe and the stiffest available economic sanctions.
Dave Bittner: Latvia, as another former Soviet Republic, is concerned that Russian action against Ukraine would constitute a sharp assertion that the near abroad is firmly within Moscow's sphere of influence, indeed, under Moscow's effective control. The foreign minister sees NATO's credibility as on the line as well.
Dave Bittner: Quote, "Russia has to know that if you do something bad in Ukraine, then the NATO and U.S. presence in the eastern flank of the alliance will increase. If you do this, you will provoke a bigger presence than now. These decisions had to be made now through bilateral channels and the alliance so if Russia acts there can be a swift and broad response that does not take months or years," end quote.
Dave Bittner: The troop movements NATO is urged to undertake would be forward deployment of combat units, including specifically air defense batteries, not a combat mission into Ukraine itself. It would amount to forward-deployed deterrence analogous to that practiced by the Atlantic alliance in Germany during the Cold War. Foreign Minister Rinkevics also urges early and thorough preparation of a range of economic sanctions.
Dave Bittner: Quote, "work is already underway for a tough economic sanctions package, including the disconnection of Russia from the SWIFT banking system, sanctions on the Russian gas pipeline Nord Stream 2 and other economic sanctions. That package needs to be prepared so it can be applied reasonably quickly. We need to be able to target those who are helping Russia to get more revenues," end quote.
Dave Bittner: The U.S. is believed to be thinking along the same lines. While direct U.S. military action in Ukraine is very unlikely, sanctions are to be expected. Bloomberg runs through the U.S. options.
Dave Bittner: Two especially severe strictures are, first, removing Russian access to the SWIFT interbank financial transfer system and, second, blocking Russia's ability to convert rubles into U.S. dollars, euros or British pounds. The second option is the more likely, since the first would wreak widespread, indiscriminate damage to ordinary citizens. Preventing conversion of rubles into other currencies would be more targeted and a more discriminating response.
Dave Bittner: According to The Record, a senior unnamed administration official yesterday said that a Russian offensive might well be a cyber, as opposed to a kinetic, campaign. And here, too, U.S. economic sanctions are seen as a likely approach to imposing costs.
Dave Bittner: Russian government activity in cyberspace retains, as Mandiant reported yesterday, the high tempo it reached during the SolarWinds compromise. Kremlin toleration and, arguably, encouragement of ransomware gangs is increasingly an open secret. The New York Times says that extortion payments are passing through Federation Tower East, the tallest building in Moscow and the choicest business address in the city's financial district. Official toleration of cybercrime is expected to come up at today's summit.
Dave Bittner: Microsoft has seized, pursuant to a court order the company obtained, websites operated by the Chinese government threat actor Redmond calls Nickel and others call Ke3chang, APT15, Vixen Panda, Royal APT and Playful Dragon. Microsoft has been tracking Nickel since 2016. It's known for pursuing targets in both the public and private sectors, but its particular interest in foreign ministries and diplomatic organizations suggests a concentration on foreign policy.
Dave Bittner: Nickel is regarded as a capable and careful organization. Quote, "the attacks the Microsoft Threat Intelligence Center observed are highly sophisticated and used a variety of techniques but nearly always had one goal - to insert hard-to-detect malware that facilitates intrusion, surveillance and data theft. Sometimes, Nickel's attacks used compromised third-party virtual private network suppliers or stolen credentials obtained from spear-phishing campaigns. In some observed activity, Nickel malware used exploits targeting unpatched on-premises Exchange Server and SharePoint systems," end quote.
Dave Bittner: Our cybercrime desk has been watching a lot of "Three Stooges" reruns during the pandemic - not always, we admit, to their profit. And today they tell us, spread out, knuckleheads. Here's why.
Dave Bittner: Google has also been active against criminal infrastructure. In this case, the company took action against Glupteba, which might be roughly translated from the Russian as, you dummy. Moe Howard would've said, why you.
Dave Bittner: In this case, Mountain View is attempting to provide the I-oughta in the form of a technical head slap and a legal nose-pull.
Dave Bittner: Glupteba is a botnet. Google thinks it currently contains about a million compromised Windows devices around the world. During growth spurts, Glupteba's bot herders have shown the ability to bring in thousands of new devices daily. The botnet is used for stealing credentials and other data, for cryptojacking on infected hosts and for establishing proxies that can funnel other people's internet traffic through infected machines and routers. It's a criminal, as opposed to an espionage, operation.
Dave Bittner: Glupteba isn't new - Malwarebytes has been tracking it for some time - but Google's disruption is. As Google explains, quote, "first, we are coordinating with industry partners to take technical action. And second, we are using our resources to launch litigation - the first lawsuit against a blockchain-enabled botnet - which we think will set a precedent, create legal and liability risks for the botnet operators and help deter future activity," end quote.
Dave Bittner: The technical seizure of Glupteba's infrastructure will, for now, as Google cautiously observes, prevent the botmasters from using their botnet, but long experience teaches that criminal operations tend to prove resilient in the face of such disruptions, and Google thinks the bad guys will be back.
Dave Bittner: In some respects, Google thinks lawfare might offer the prospects of a longer-term solution. Quote, "our litigation was filed against the operators of the botnet, who we believe are based in Russia. We filed the action in the Southern District of New York for computer fraud and abuse, trademark infringement and other claims. We also filed a temporary restraining order to bolster our technical disruption effort. If successful, this action will create real legal liability for the operators," end quote.
Dave Bittner: And if the operators, or more so, those on whose support they depend, run afoul of the courts, there may indeed be some degree of deterrence here.
Dave Bittner: And, finally, this just in yesterday from The Wall Street Journal - whoever Satoshi Nakamoto is or was, it's not Craig Wright and David Kleiman, at least according to a Florida jury in a civil case. Mr. Kleiman's estate - he himself is deceased - was suing Mr. Wright for a share in a partnership the two men have claimed to have established using the Satoshi Nakamoto pseudonym in order to set up Bitcoin.
Dave Bittner: The jury did not find that the partnership had existed in that form, rejecting nine of the plaintiff's 10 claims. They found for the plaintiff on the 10th, converting Bitcoin owned by the partnership to his own use, and so Mr. Wright has been ordered to turn over a hundred million dollars in Bitcoin to Mr. Kleiman's estate. But that's a far cry short of the $50 billion, with a B, he might have been found liable for.
Dave Bittner: The other upshot of the case, however, is that Mr. Wright will not be required to produce proof that he's the original owner of coins mined by Satoshi Nakamoto back in 2009. It's worth noting that the claims Mr. Wright advanced in 2016 to be the inventor of Bitcoin have been widely examined and generally found wanting.
Dave Bittner: But in any case, the exclusive and quite possibly mythical Mr. Nakamoto remains very much in the air, free as a bird and elusive as a morning song.
Dave Bittner: The team at TAG Cyber recently released a quarterly report, this time focusing on the hybrid workplace largely brought on by the pandemic and what it means for the future of cybersecurity. Ed Amoroso is CEO of TAG Cyber.
Ed Amoroso: Cybersecurity experts generally have a model in their mind when they think about computing. You have to. You know, the power of abstraction in thinking and coming up with ways of developing protection solutions or any kind of technology is important. And the model we always had was like that perimeter model - right? - where you have this blob of computing behind a firewall. And we all knew that that was dissolving to some degree.
Ed Amoroso: But I think things came into very clear focus for companies in the 2019-to-2020 time frame. For example, companies that go to a gigantic fuss about making sure that they very carefully program access from their employees or from consultants to resources that they would be talking behind some VPN concentration in their enterprise - we're suddenly having meetings talking about that, where their employees were using their home computers over Zoom to get on the call.
Ed Amoroso: And we would laugh 'cause we'd think - it almost was like this very twisted concept of - you're doing something convenient and very cloud-focused and sort of, you know, from a device, and you're sitting in a Starbucks, and you're talking about designing something that has none of those attributes. And it just became so obvious - this idea that you need to hairpin, you know, through a corporate gateway to get to the internet, that's always been dumb. So that - I think it just exposed how silly that was.
Ed Amoroso: And another one - for example, I do a lot of consulting with our team at TAG Cyber. We have a lot of ex-AT&T folks that work with us. Well, during the pandemic, we noticed that attitudes toward that shifted considerably. And I think zero-trust came alive. Now, we in cybersecurity have a way of sort of - we get a concept that's interesting, and we beat it to death, right (laughter)?
Dave Bittner: Yeah.
Ed Amoroso: It's - so it's not like zero-trust is wrong. It's just the marketers got a little bit too aggressive with the concept. Now it's become a caricature. But once that settles down, the idea that from a device, you'd hit a network to get the cloud to reach an app, that's 99% of what we all do every day. That is our use case. And whether you're a user doing it to get to an app or you're a supplier dealing with a customer or you're even a branch office getting to cloud, that cadence is the same.
Ed Amoroso: And that's the essence of not only zero-trust but also this idea of secure edge, like having this second-generation business network that's no longer MPLS hub and spoke but rather, you know, what - some people would refer to this as, like, SASE. I'm not always so crazy about the term because I think most people who say it can't expand the acronym. But the idea is next-generation cloud-hosted workload access - how do you manage that?
Ed Amoroso: And it's kind of magical because I remember in the early days of networking when it was shown to me - I think it was Cisco showing me. This is when I was at AT&T - the idea of separating data and control planes. I know that shows you how old I am.
Dave Bittner: (Laughter).
Ed Amoroso: Won't take that for granted. But that was such a great idea. I mean, when you're managing networks, that idea was like - I thought, what a really capable team that would think that up. And it was the whole network industry.
Ed Amoroso: Well, once you've separated those two, the next insight was - take all the control, and instead of worrying about thousands of routers or endpoints or hundreds of branch offices, put it in the cloud, and now you can control the network from the cloud. And as that came into focus the last few years, nothing has made me happier. And that is the essence of work from anywhere. That's what work from anywhere means. It means that we can extend; we can scale; we can manage in a way that allows us to build networks that can look like any shape you like, instead of the old MPLS hub and spoke, which really was quite limited. You can't draw hub-and-spoke networks in a way that scales. Anybody who's ever looked at a GUI that uses hub and spoke knows what I'm talking about because the screen very quickly gets unmanageable, right? You get all those lines coming out of a big dot and you go, oh, what good is that?
Ed Amoroso: So it's been an era the last few years where hybrid work has allowed us to do better jobs as computer scientists, as network engineers and definitely as cybersecurity experts. So we focus a lot about that in the quarterly. That's a big topic we cover.
Dave Bittner: That's Ed Amoroso from TAG Cyber.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security - also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting article from ZDNet - this is written by Campbell Kwan. And it's titled "Social Media Platforms Need Complaints Schemes to Avoid Defamation Under Aussie Anti-Troll Bill." The folks in Australia are proposing a bill here that could clamp down on some social media companies. What is going on here, Ben?
Ben Yelin: This is the type of bill that would never stand a chance in the United States, just due to our political culture and our respect for civil liberties. But nevertheless, it's always interesting to see what happens in other countries.
Dave Bittner: Yeah.
Ben Yelin: So this is a proposed bill. It hasn't been enacted yet. It's called the Social Media Anti-Trolling Bill of 2021. Tech companies in Australia would be classified as publishers of any comments posted on a social media platform. And this would apply to any platform that has more than 250,000 users in Australia.
Dave Bittner: OK.
Ben Yelin: Under this law, if somebody reasonably believes that they have been the victim of defamation or trolling, then the social media companies would be compelled to share identifying information about the supposed troll - so username, address, phone number, et cetera.
Dave Bittner: IP address, I suppose - they should have that.
Ben Yelin: Exactly.
Dave Bittner: Yeah.
Ben Yelin: And that would allow Australian law enforcement to undertake an investigation. There is sort of a safe harbor provision to protect people's identity if the platforms reasonably believe that the complaint doesn't actually relate to defamation. If it's something that's frivolous, then the companies wouldn't be required to provide this information to the person complaining.
Ben Yelin: I understand the impulse for this law. Trolling is certainly bad. We don't want to see people harassed on the internet.
Dave Bittner: Right.
Ben Yelin: But I always worry about a slippery slope with these types of things. If we allow the government to compel these social media companies to turn over personal information in these circumstances, then you have a mechanism in place where it can be employed for political purposes, to target disfavored groups, identify people who, you know, might have a good reason about posting certain types of content on social media platforms that isn't defamatory.
Ben Yelin: So I think this is an interesting idea by the Australian Parliament. But like I said, I just don't think this is something that would be seriously considered in the United States.
Dave Bittner: So is this a matter of - that there are compelling cases for anonymity online that benefits us all?
Ben Yelin: Yeah. I mean, we've had a debate over the years about whether there's a right to be anonymous online. And there are costs and benefits to the rights of anonymity. Obviously, the benefits are, you know, we can foster a better marketplace of ideas. People aren't going to be willing to say what they think and feel and, you know, start the sort of broader political, religious, et cetera, discussion on online platforms. So that's the positive side.
Ben Yelin: The negative side is people can troll other people without there being any consequences. So you have to kind of weigh those values.
Ben Yelin: I think in the United States, just based on our political culture, generally, most people would weigh on the side of, let's keep this marketplace of ideas open. You know, if somebody is threatening violence against themselves or somebody else, maybe that's a rare opportunity where social media companies should have to identify that user. But when we're talking just about mean words, about trolling, even if it is defamatory, it shouldn't rise to the level where we're deanonymizing individuals.
Ben Yelin: Again, that's my personal view. But I think it's something that would be widely shared here in the United States. Again, you know, I think every country is different. If you have a culture that prizes the protection of people online, online safety, the protection from trolling, then I can understand why this would be a compelling proposal.
Dave Bittner: I'm curious - if Australia were to put something like this in place, how does that affect the global marketplace of your Facebooks of the world - you know, that are global platforms? How do you manage when people are exchanging things across international borders and you have one nation - Australia, in this case - a democracy - who has this set of rules that might not align with others?
Ben Yelin: So, you know - would apply to companies like Facebook 'cause it's any company that has more than 250,000 users in Australia. I'm sure that's true for every single Big Tech organization, Big Tech company. They definitely could meet that threshold of users.
Dave Bittner: Right.
Ben Yelin: So you'd have to have a compliance team as it relates to this Australian law to make sure that you're able to respond to these types of requests. Now, you're only able to get information on subjects over which Australia has jurisdiction - so people who are actually in Australia or under the legal jurisdiction of Australia.
Dave Bittner: Right.
Ben Yelin: You know, that means we could see, you know, people trying to play tricks - you know, maybe using VPNs and trying to conceal the fact that they're Australian or conceal the fact that they are in Australia.
Dave Bittner: Yeah.
Ben Yelin: Maybe you can get yourself outside of Australian jurisdiction by doing something like that, and then you wouldn't be subject to a penalty under the law. You know, I don't know enough about the broader tech statute provisions in Australia - whether, you know, there are laws against concealing yourself in that way. But it certainly, I think, seems right for people to try and get around these requirements.
Dave Bittner: You know, it reminds me of an old social media hack. And I don't know if it's - like, a social media life hack. And I don't know the degree to which this is true. But I remember hearing several times years ago that if you wanted to get rid of the Nazis on your Twitter feed, tell Twitter that you're located in Germany...
Ben Yelin: Right, exactly...
Dave Bittner: ...And poof.
Ben Yelin: ...Where they're - Nazis are banned.
Dave Bittner: Right.
Ben Yelin: Exactly.
Dave Bittner: And so they go away. And so evidently they're capable of filtering them (laughter). It's just you have to - they have to be compelled to do so.
Ben Yelin: Right, right.
Dave Bittner: So it's interesting.
Ben Yelin: And this - you know, I don't think this would be that much of a burden on Facebook because - or, you know, similar tech companies...
Dave Bittner: Yeah.
Ben Yelin: ...'Cause I think there are provisions, to varying degrees, like this in other countries. I'm not sure in Western democracies it's ever gone this far. But it's not something they're necessarily - that they're not going to be capable of adhering to.
Dave Bittner: Yeah. All right. Well, it'll be interesting to see it follow through - see if it actually becomes a law there and, if so, how that might affect the rest of the social media world. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.