The CyberWire Daily Podcast 1.25.22
Ep 1501 | 1.25.22

Hacktivism as irregular operations-short-of-war. A banking Trojan aims at fraudulent wire transfers. DTPacker’s two-step delivery. REvil re-forms? Ransomware and insider threats. DDoS in Andorra.


Dave Bittner: Tensions remain high as Russia assembles troops near Ukraine and NATO moves to higher states of readiness. The Belarusian Cyber Partisans claim responsibility for a ransomware attack against Belarusian railroads. The BRATA banking Trojan spreads, as does DTPacker malware. REvil alumni may be getting the band back together. Ransomware operators are working harder to recruit insiders as their targets. Joe Carrigan has the story of a romance scammer in custody. Mr. Security Answer Person John Pescatore has thoughts on BYOD. And there's a major DDoS campaign shutting down the internet in Andorra.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 25, 2022. 

Dave Bittner: NATO has moved air and naval units into positions to respond to further Russian incursions into Ukraine. Reuters reports that the alliance presently has about 4,000 troops deployed in multinational battalions in Latvia, Lithuania, Estonia and Poland. The U.S. is said to have placed some 8,500 additional troops on alert, prepared to be transported to the region. U.S. Department of Defense spokesman John Kirby explained yesterday... 


John Kirby: As you're all aware, the United States is deeply concerned about the current situation in Europe. We remain keenly focused on Russia's unusual military activities near the Ukrainian border, including in Belarus, and consulting extensively with our transatlantic allies and partners. The department continues to support diplomatic efforts to de-escalate the situation. 

John Kirby: Now, as the president has said, even as we continue to prioritize diplomacy and dialogue, we must also increase readiness. In support of its obligations to the security and defense of NATO and the security of its citizens abroad, at the direction of the president and following recommendations made by Secretary Austin, the United States has taken steps to heighten the readiness of its forces at home and abroad so they are prepared to respond to a range of contingencies, including support to the NATO Response Force if it is activated. 

Dave Bittner: The U.S. commitment includes a contribution to the NATO Response Force. 


John Kirby: The United States also has a commitment to provide forces to the NATO Response Force, or otherwise known as the NRF, in the event that NATO should activate that construct. And as you may know, the NRF is a multinational force made up of land, air, maritime and special operations forces - all components that the alliance can deploy on short notice wherever needed. Altogether, the NRF comprises around 40,000 multinational troops. 

John Kirby: Within the NRF is something called the Very High Readiness Joint Task Force, or VJTF. This NRF element, which is about 20,000 strong across all domains, includes a multinational land brigade of around 5,000 troops and air, maritime and special operation forces components. 

Dave Bittner: Both of those clips courtesy of C-SPAN. 

Dave Bittner: Russia, which has staged approximately 100,000 troops near Ukraine, says NATO's response, described as hysteria, shows that Russia, not Ukraine, is the target of aggression. Hysterical or not, the Guardian writes that Western governments are preparing an extensive and potentially crippling sanctions regime that could be imposed on broad stretches of the Russian economy should Moscow's pressure on Ukraine continue. 

Dave Bittner: And coincidentally or not, the National Post reports that Global Affairs Canada, a service of the foreign affairs department, was hit with an unspecified cyberattack detected on January 19. The day before, Reuters observes, the Communications Security Establishment issued a bulletin warning that there was a Russian threat to Canadian infrastructure. According to Computing, investigation of the incident continues. Prime Minister Trudeau has reiterated Canadian support for Ukraine during the ongoing crisis. 

Dave Bittner: Ars Technica reports that the Belarusian Cyber Partisans have claimed responsibility for a ransomware attack against Belarusian railroads that's being called Peklo, which roughly means hellfire. The hacktivist group, which has acquired a reputation for sophistication, has been active since at least July of 2021. 

Dave Bittner: It's generally a good practice to approach hacktivism claims with healthy skepticism, and we were cautious yesterday in discussing this story. Hacktivism, after all, is easy to claim in false flag or otherwise deniable operations. 

Dave Bittner: In this case, however, the Cyber Partisans are a known group who appear to come pretty much as advertised. CyberScoop, for one, lays out the case for the Cyber Partisans being a genuine hacktivist group. The Washington Post did the same last September, a short time after the group first surfaced. It's believed that the Cyber Partisans are a self-taught group of about 15 expatriate Belarusian dissidents who retain some connection with disaffected members of Belarusian security services. 

Dave Bittner: The Cyber Partisans tweeted their explanation of why they hit the railroad. Quote, "at the command of the terrorist Lukashenka, Belarusian Railway allows the occupying troops to enter our land. We encrypted some of BR's servers, databases and workstations to disrupt its operations. Automation and security systems were not affected to avoid emergency situations," end quote. 

Dave Bittner: The AP reports that a spokesperson for the Cyber Partisans, New York-based Yuliana Shemetovets, said that, quote, "mostly commercial freight trains are affected. We hope it will indirectly affect Russian troops as well, but we can't know for sure. At this point, it's too early to say," end quote. So why a railroad? Well, they're a useful way of moving large numbers of heavy combat vehicles - tanks, infantry fighting vehicles, self-propelled artillery and the like. 

Dave Bittner: Multiple sources, including CNN, Newsweek, CBS News and ABC News, report that the U.S. Department of Homeland Security has issued a memorandum to its law enforcement partners, warning them to prepare for Russian cyberattacks in the event of a U.S. or NATO response to Russia's threatened invasion of Ukraine. The memorandum doesn't appear to contain much specific information beyond a recognition of Russian cyber capabilities and an acknowledgment that tensions in Eastern Europe are running high. So it seems to be a warning based on a priori possibility. Good advice, nonetheless, but everyone has known for some weeks that they should be on the qui vive for Russian state-run hacking. 

Dave Bittner: The CyberWire's continuing coverage of the crisis in Ukraine can be found on our website, 

Dave Bittner: Researchers at security firm Cleafy update their reports on BRATA, an Android banking Trojan being used for fraudulent wire transfers. BRATA has developed the following features. It has a capability to perform the device factory reset. It appears that TAs are leveraging this feature to erase any trace right after an unauthorized wire transfer attempt. It has GPS tracking capability. It has the capability to use multiple communication channels, HTTP and TCP, between the device and the C2 server to keep a persistent connection. And it has the capability to continuously monitor the victim's bank application through VNC and keylogging techniques. 

Dave Bittner: BRATA first appeared in use against Italian banking customers. It's since spread to the United Kingdom and Poland, and it's showing signs of finding victims in Latin America. 

Dave Bittner: Security firm Proofpoint describes a novel malware, DTPacker. It's being used to pack remote-access Trojans that, in turn, can steal information or install follow-on payloads, including ransomware. It's recently been gurgling around download locations carrying the theme of the Liverpool Football Club. No real connection to Jurgen and the lads. It's just an adventitious and opportunistic scam. 

Dave Bittner: Why call the malware DTPacker? Another accidental feature - the payload decoding uses a fixed password that contains the name of former U.S. President Donald Trump. But this is merely an homage, not an attribution, and no one thinks the malware is connected to anyone at Mar-a-Lago. 

Dave Bittner: The REvil ransomware gang, recently hit by Russia's FSB in a widely publicized enforcement action that resulted in both arrests and asset forfeitures, may be reforming, or at least some of its alumni, who remain at large, appear to be reconstituting the operation. GovInfoSecurity reports that the MalwareHunterTeam has been tracking what's either a revenant, a successor or an imitator - a gang that styles itself Ransom Cartel. There's some speculation that the FSB sweep may have hit more lower-level hoods than leaders and that, in particular, REvil's coders may have remained at large. 

Dave Bittner: A survey by Pulse and Hitachi connects insider threats with ransomware tactics. Over half of the hundred security and IT executives surveyed said that they or their employees had been approached by cybercriminals who sought to enlist the insiders' aid in conducting ransomware attacks. That represented an increase of 17% over those who reported attempts at recruitment when the survey was last conducted in November. 

Dave Bittner: Most of the contacts, 59%, were by email, with 27% and 21% of the contacts coming, respectively, by phone call or social media. BleepingComputer speculates that the great resignation renders employees, who may already have one foot out the door, more susceptible to this sort of recruitment. 

Dave Bittner: Andorra's internet has been disrupted by a distributed denial-of-service attack that struck the country from Friday through Monday. The motive, you ask? Why pick on Andorra? Well, the Record has an answer. It seems those responsible for the DDoS attacks were intending to block Andorrans from participating in the Twitch Rivals SquidCraft Games - a Minecraft competition open to Spanish-speaking competitors and offering the winner a $100,000 purse. 

Dave Bittner: We note, once again, Minecraft competition has been the occasion for a large DDoS incident. The original Mirai infestation had its origin in an attempt to block the purveyor's competitors from closing in-game sales to Minecraft players. Many people at the time thought Mirai had to be a nation-state operation - a rehearsal for a widespread attack against communications infrastructure. It wasn't. 

Dave Bittner: And it's worth recalling the complexities of attribution, especially now, during heightened international tensions. And that initial Mirai attack - it wasn't a bear, a panda or even a kitten. It was just some guy in New Jersey. Forget about it. 

Dave Bittner: John Pescatore has been in the cybersecurity world for a while now, has been around the block a few times, has seen a few things and has lived to tell the tale. He joins us on the last Tuesday of each month to help answer your questions in this segment we call Mr. Security Answer Person. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

John Pescatore: Hello, and welcome back to Mr. Security Answer Person. I'm John Pescatore. Let's get into our question for this week. 

John Pescatore: BYOD asks, like many companies, at the start of the pandemic, we were forced to let all employees remotely access work systems using their home computers and personally owned phones and tablets. We were originally planning to return to offices and terminate that access, but it looks like the new normal means continuing it. How do I convince management of the high level of risk of allowing bring your own device to continue? 

John Pescatore: Well, that is a very timely question as omicron slams into us, but I think it is the wrong question. Here's the thing - turns out, we've really been allowing BYOD use ever since Outlook Web Access first shipped with Exchange Server 5.0 in 1997. OWA was then incorporated into the IE browser a few years later by Microsoft. So realistically, since about 2000 or so, employees at many organizations have been using browsers to read, store and send sensitive business email and attachments from their home PCs and personally owned mobile devices. Turned out, users were silly enough to read email 24 hours per day. Theoretically, productivity went up, but we really did not see great leaps in data leakage. 

John Pescatore: And don't try to tell me, well, that is only email. Every audit finds email carrying sensitive and critical business data because email is still the major way businesses communicate both internally and externally. Don't get me wrong - there have been exposures, especially on computer kiosks, at conferences and other public locations. OK, I'm skewing old here. I guess I should explain. 

John Pescatore: For you younger folks, before you were allowed to do work email from your phone or tablet, when you were on travel, conferences would set up email lounges with kiosks where you could start up a browser and read your email. If it was done right, all your information would be deleted when you were done. But very often, it wasn't done right. 

John Pescatore: Ironically, not long after, in 2007, the iPhone came out, followed by the Android phone in 2008 and the iPad in 2010, allowing everyone to read email while pretending to listen to the conference speaker. Those badly implemented Windows-based computer kiosks disappeared, and BYO took over, which actually turned out to be much safer. 

John Pescatore: The odd reality is that many home users these days are using much more secure technology than what their employer provides. The iOS and Android operating systems were designed from day one with full-time internet connectivity in mind and include advanced security techniques like sandboxing and file encryption. They enforce application whitelists called fun names like App Store and Play, which do a great job of blocking malware and don't seem to bother users at all. The browsers and operating systems used on those devices are largely set to just patch themselves continually. Most of the devices even include biometrics, and the users are happy to log in with those fingerprint and/or facial sensors. Can you say all those things about your company-issued PCs? 

John Pescatore: Here's a short anecdote. Back when I worked at Gartner, a mid-sized telecoms company asked me this very same question because they were trying to fight off requests to use iPads. I had to tell them that several months before, their service VP had scheduled a call with me on how to set up iPads securely so service techs could carry electronic copies of service manuals versus having to try to schlep paper manuals, which were often out of date, up to the tops of poles and towers. I gave him some basic policy minimums, including forcing use of fingerprint sensors for login with timeout, etc. 

John Pescatore: Turns out, the service VP bypassed IT, and IT security bought his techs iPads out of his own budget, configured them pretty securely and had been using them safely for months - running browser-based email access, too, by the way. The security group had no idea this was going on, and my accidentally exposing it caused them and the CIO to go to the CEO and explain the risk. 

John Pescatore: The CEO said, wait, let me get this straight. Service had a problem. IT could not help them, so they solved it themselves. IT security thinks it is too risky, but can't point to any issues that have occurred in nearly six months of use. Why are you wasting my time? So unless you've had some major documented security incidents during this widespread use of BYOD, I'm going to suggest that instead you ask me, how can I convince management to support changes to make sure long-term use of BYOD maintains productivity and safety and security? 

John Pescatore: Great question. Start by pointing out that most online services are moving to require two-factor authentication for all access and that the company should move to that for all remote access from both corporate and personally owned devices. Show them the Microsoft research that proves 99.9% of all account compromises would have been stopped if even just text messaging as a second factor in logging in was in use. 

John Pescatore: Then propose some key capabilities, like backup and recovery, which must be extended to personally owned devices. If you'll be working in hybrid mode, with employees regularly going from working at home to working from offices, get the backing for implementing network access control and risk-segmented network zones. Call it zero trust, if you must. There are a lot of good guidelines out for doing this. It is actually much harder to find success stories for trying to go backwards and only allow work to be done from corporate-issued and heavily managed devices. 

John Pescatore: Remember when casual Friday seemed risky? We certainly aren't going back to dress codes. It's more like every day is casual Friday. The mainframe isn't coming back either, but it turns out we can harden heterogeneous mixes of devices and meet business demands for productivity and speed of changes while minimizing risk. After all, that's what they pay us for - making sure the business can do business while the risk is minimized - minimized, not completely avoided. 

John Pescatore: A closing thought - did you ever notice that many college campuses started out with paved walkways that made nice right angles between buildings to support large, rectangular grassy courtyards as envisioned by the architect? Of course, students immediately started walking diagonally across the grass, creating muddy paths for the shortest way to their next class. Most campuses simply paved the diagonal paths, but some did try to put up stay off the grass signs or put in hedges and fences to block the way. Guess which approach won out in the long run? 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Automated Voice #1: Mister. 

Automated Voice #2: Security. 

Automated Voice #3: Answer. 

Automated Voice #4: Person. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from our friends over at the Naked Security blog by Sophos, written by the great Paul Ducklin. 

Joe Carrigan: Duck? 

Dave Bittner: And this is about a romance scammer who targeted 670 women, gets 28 months in jail. What's going on here, Joe? 

Joe Carrigan: It doesn't seem like he's getting a lot of time for targeting close to 700 women, but he conned nine of them out of 20,000 pounds, which is about $27,000 U.S. We've seen bigger takes in these kind of scams. I'm hoping that no one has lost their life savings in this, and by the looks of this, it doesn't - these aren't really life savings amounts, which is good. I'm glad that nobody has been terribly hurt by this. 

Joe Carrigan: But this guy who's 41 years old pled guilty to charges of fraud and money laundering. And he did scam one person out of 9,500 pounds in a fake 10-month relationship. So he was working this woman for 10 months and got her to send him 9,500 pounds. The story he was using was - he spun a hard-luck story about how he'd run short of money after paying for funerals of a group of people who died in a tragic industrial accident. 

Joe Carrigan: And then he needed money for equipment - for drilling equipment - as he was hiring a business in an overseas venture, rather. And I like what Duck says here - but it was all a pack of lies. 


Joe Carrigan: So he's been arrested, and I guess he's reached a plea agreement, so he's going to do twenty - what? - eight months did they say? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: The article has a great quote from a guy named Dominic Mugan, who is a manager at the National Crime Agency in the UK. He says that this guy had no regard for these women. He went to great lengths to gain their trust, fabricating stories to exploit them out of thousands. This is a typical pattern of romance fraudsters. They work to build rapport before making such requests. Romance fraud is a crime that affects victims emotionally and financially and in some cases, impacts their families. We want to encourage everyone who thinks they've been a victim of this to come forward, not to be ashamed of it. 

Joe Carrigan: That's important. We talk about that a lot. A lot of times, people are embarrassed by this. You know, how could I have been so silly? I've fallen - once they realize it's a scam, they won't talk about it with anybody else. That's not the right response. You have to talk about it. You have to come forward and say this has happened. The best option is to go to law enforcement and complain that you have been the victim of a crime here. 

Joe Carrigan: What's interesting is because they're actually working on people. They rely on the relationship. None of your technical protections are going to work, right? Antivirus will do you no good against transferring money out to a bad guy. Web filters and other things will not help you. And they have all kinds of different methods for working. 

Joe Carrigan: But there is another thing that Paul talks about in this article that I want to touch on here. And he says the aftermath of this is often overlooked. And namely, it's - the romance scam victims sometimes will alienate the victim from their friends and family as a means of keeping the money coming, right? So it's one of the tactics they use. It's isolation. 

Joe Carrigan: But once the scam is over, that damage is still there. That relational damage, like, between the victim and maybe a kid or friend, it's done. And they have a hard time trying to get past that. So it's actually a long-term kind of problem. And, you know, people don't like admitting when they're wrong. It's just part of our nature. And people, again, these people feel embarrassed. And they just can't say - it's tough to say. I'm not saying they can't say. It's just tough to say, you know, look. I should've listened to you. I'm sorry. It's hard for people to do that. 

Dave Bittner: Well, I think too for those of us who are on the more knowledgeable side of these things, you know, for those of us who are cybersecurity professionals, this, to me, is a good reminder to go to your loved ones, your friends, your family, particularly those elderly people who are the folks that these romance scammers often try to hit and just preemptively tell them that if you find yourself a victim to something like this or you think something like this might be coming at you, please let me know. And I will not judge you. I will not get mad at you. I will - do not be embarrassed. So that they know that you have their back in their best interest in mind ahead of time. 

Joe Carrigan: And if you think they're being a victim of a scam and you tell them and they get angry, the final thing that you say is, look. I understand that you're upset. I think you're in a scam. And when you realize this is a scam, please do not hesitate to call me back. I will not be mad at you. I understand what's going on here, OK? Don't let this become a barrier between you and your family members or your friends. 

Joe Carrigan: Paul has a great boat list of what to do. No. 1, don't blame yourself if you get reeled in. This is a great thing. A lot of people go, how could I have been so stupid? You know, it's not that you're stupid. It's that you're an emotional being with emotions. And this person victimized you. It is not because of you. This person did something bad. That is not - and you were probably trying to be a good person, a trusting person. This is not an indication of your character. This is an indication of their character being bad. 

Joe Carrigan: Consider reporting your scam to the police. Always do that. I think it's - even though it's tough and embarrassing to come forward. We've had some really high-profile people on "Hacking Humans" who have come forward with scams that they've been hit with, where they've lost large sums of money. I think those people are remarkably courageous. It's very important to publicize these things and to get it out there. 

Joe Carrigan: Look for a support group. That's helpful. Listen openly to your friends and families when they try to warn you. You know, that's one of the key things. I say watch out for the isolation tactics as well. That's not just in in social engineering scams, but in a lot of abusive relationships. Isolation tactics are a hallmark of those things. So you've got to be on the lookout for those. 

Joe Carrigan: Get out as soon as you realize this is a scam. Don't spend time - don't go after the sunk cost here. If it's a scam, walk away. Just go, I got scammed. I'm done. You know, that's got to be your attitude. 

Dave Bittner: All right. Well, good guidance for sure. Again, the article is over on the Naked Security blog from the folks at Sophos. 

Joe Carrigan: Yes. And I'd like to ask this guy to enjoy his 28-month vacation. 

Dave Bittner: (Laughter) There you go. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.