The CyberWire Daily Podcast 7.5.22
Ep 1612 | 7.5.22

Cyberattack hits Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Hacktivists, scammers, misconfigurations, and rogue insiders.


Dave Bittner: Cyberattack hits a Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Royal Army accounts are hijacked. A hacktivist group claims to have hit Iranian sites. A very, very large database of PII is for sale on the dark web. Chase Snyder from ExtraHop has a look back at WannaCry, five years on. Ben Yelin examines the constitutionality of keyword search warrants. And a rogue employee makes off with bug reports.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 5, 2022. 

Cyberattack hits Ukrainian energy provider.

Dave Bittner: DTEK Group, Ukraine's largest private energy firm and operator of power plants in various parts of Ukraine, Friday said that it had been the victim of a cyberattack. The attack, in CNN's account, had complicated goals. As DTEK put it, it aimed to destabilize the technological processes of its distribution and generation firms, spread propaganda about the company's operations and to leave Ukrainian consumers without electricity. XakNet - and that's HackNet with an X - a hacktivist organization that's transparently a GRU front, claimed last week to have penetrated DTEK's networks and published some screenshots as coup-counting evidence of its success. The actual consequences of the operation, if any, remain unclear. And there are no reports of power outages connected to the incident. 

Dave Bittner: The website Vosvete IT, relying in part on information from Slovakia's National Security Authority, makes two points that seem to position the incident in the larger context of both lawfare and kinetic combat. They say, these cyberattacks on the consortium occurred just days after Rinat Akhmetov, one of the richest men in Ukraine and a shareholder of DTEK, sued Russia at the European Court of Human Rights for causing billions in damages to his assets. They also occurred at about the same time Russian forces shelled a DTEK power plant in Kryvyi Rih, a mining and industrial city in the Dnipro region. 

NCSC updates its guidance on preparing for a long-term Russian cyber campaign.

Dave Bittner: The U.K.'s National Cyber Security Centre has updated its earlier guidance on preparing for the consequences of a long-running, extensive Russian cyber campaign. Both that original guidance and the recent update concentrating on recommending measures that can be sustained for a long period of time without exhausting security staff or otherwise degrading an organization's ability to operate. The NCSC says, that is why we have published the new guidance on maintaining a strengthened cybersecurity posture in a sustainable way. Among the advice, the NCSC suggests, are revisiting risk-based decisions to ensure defenses are implemented in an efficient way for the long term, empowering frontline staff to take decisions about prioritization, ensuring that workloads are spread across individuals and teams and that frontline staff can take breaks to recharge and providing resources to managers and teams to recognize the signs of someone who is struggling. 

Royal Army accounts hijacked.

Dave Bittner: In other news from the U.K., on Sunday afternoon, the British Ministry of Defence Press Office tweeted a terse announcement that the MOD was aware of a cyber incident. They said, we are aware of a breach of the army's Twitter and YouTube accounts and an investigation is underway. The army takes information security extremely seriously and is resolving the issue. Until their investigation is complete, it would be inappropriate to comment further. The army's own feed took an apologetic line toward any disappointed followers, saying, apologies for the temporary interruption to our feed. We will conduct a full investigation and learn from this incident. Thanks for following us. And normal service will now resume. It took the British army about five hours to wrest back control of its Twitter account, the Telegraph reports. It's unknown who hijacked the accounts or why, and the MOD isn't saying anything until it understands what happened. The Telegram, quick to suspect the worst of the Russians, asked if the incident was a Russian operation, but the MOD has no comment. As they've said, they're not jumping to conclusions until they know more. Bitdefender notes that many have jumped to the conclusion that the incident must have been the work of a nation-state's espionage services. But it has an alternative explanation, arguably more probable. It was possibly crypto bros working an NFT scam. They note that the hijacked YouTube account featured an NFT come-on with the inevitable bogus Elon Musk attribution. 

A hacktivist group claims to have hit Iranian sites.

Dave Bittner: According to reports over the weekend, the group Uprising till Overthrow - apparently an anti-Tehran hacktivist organization - conducted a large operation against Iran's Islamic Culture and Communication Organization. Six sites were hijacked and 15 others were defaced with pictures of Iranian resistance leaders. Forty-four servers, a large number of endpoints and at least 35 ICCO databases were wiped. Before the systems were wiped, the hacktivists are believed to have obtained ICCO data that includes information about money laundering, front groups and espionage and terrorist networks. The operation is said to have begun in the last week of January. In an apparent response to recent nominally hacktivist actions, not only those by Uprising till Overthrow but also operations attributed last week to Predatory Sparrow, IranWire reports that Tehran has temporarily suspended Iranians' ability to access bank accounts from abroad. It's a measure whose purpose, the authorities say, is preventing cyberattacks. 

Very large database of PII for sale on the dark web.

Dave Bittner: Also on Sunday, Binance's threat research team found a very large database of personally identifiable information exposed on the dark web. They say our threat intelligence detected 1 billion resident records for sale in the dark web, including name, address, national ID, mobile, police and medical records from one Asian country. Likely due to a bug in an Elasticsearch deployment by a government agency, this has an impact on hacker detection and prevention measures, mobile numbers used for account takeovers, et cetera. It is important for all platforms to enhance their security measures in this area. Binance has already stepped up verifications for users potentially affected. Binance is reticent about the source of the data, but others say it came from the Shanghai National Police. It's not clear who's obtained the data, but according to Bloomberg the data are being offered for ten bitcoin, roughly $200,000. HackRead reports that the data include the following kinds of information - name, address, birthplace, mobile number, national ID number and all crime and case details. As Binance's tweet suggests, the data exposure appears to be traceable to a misconfiguration and not a compromise or a breach proper. Reuters put the total number of people affected by the data exposure at about 1 billion, but this is, in any case, based on the claims of someone offering the data for sale. Someone using the hacker name China Dan posted this message to the breach forums late last week - in 2022, the Shanghai National Police database was leaked. This database contains many terabytes of data and information on billions of Chinese citizen. Databases contain information on 1 billion Chinese national residents and several billion case records. 

Dave Bittner: Reuters sensibly points out that these claims are so far unverified. The data offered for sale are said to amount in the aggregate to some 23 terabytes. It's obviously difficult to confirm the legitimacy of sample data China Dan posted to show that he had the goods. But The Wall Street Journal spot-checked a few of the items by calling some people whose phone numbers appeared in the tease. The Journal found that in a tiny fraction of a billion or so people, the data was indeed genuine. Chinese authorities have issued no statements so far on the incident. 

Rogue employee makes off with bug reports.

Dave Bittner: And finally, HackerOne disclosed  this past Friday that a rogue insider, a then-employee as the company puts it, had been improperly accessing the bug-bounty platform's vulnerability disclosures with the aim of collecting additional bounties from HackerOne customers. Alerted to the problem by a customer who reported an implausible disclosure offered with uncharacteristically threatening language, HackerOne investigated and found that an employee had improperly accessed security reports for personal gain. The improper access ran from April 4 through June 23 of this year. HackerOne fired the employee, upgraded its security and is considering referring the former employee for criminal prosecution. 

Dave Bittner: Time flies when you're having fun, they say, so it's hard to believe it's been five years since WannaCry ransomware was unleashed on the world, infecting more than 200,000 computers globally, before Marcus Hutchins famously discovered and triggered a kill switch. Tallies vary, but many believe damages from WannaCry totaled in the billions of dollars. For a look back at WannaCry and insights on what we've learned since then, I checked in with Chase Snyder. He's senior product marketing manager at ExtraHop. 

Chase Snyder: When WannaCry first hit, the sort of emotional tone inside of ExtraHop - and in the cybersecurity industry, overall - was one of, what can we do? The news was coming out fast. There was this event where an independent security researcher created this sinkhole that kind of put the attack on pause for a minute and there was all this questions going around - all these questions going around about how do we stop this? Who is doing it? There's so much questioning going on, but, ultimately, it came down to how do we help our customers avoid being impacted by this - not only avoid being hit with the ransomware itself but deal with the ramifications of having to investigate and figure out, are we vulnerable? Have we been hit or are we about to? 

Dave Bittner: Now, my recollection also is that there was a good amount of collaboration, you know, a cross-company collaboration. It was all-hands-on-deck, and a lot of people put their, what would otherwise be, competitiveness aside. 

Chase Snyder: Yeah, absolutely. I think there was a big tone of camaraderie for defenders, where this was a heretofore unseen scale and level of damage that a ransomware was doing. I remember that the national health system of the U.K. was a major victim of it, and the idea that a financially motivated ransomware attack could be impacting people's health care really pulled people together to defend against it and to rise up against that type of a soulless attack. 

Dave Bittner: Do you think we're in a place today where something at the scale of WannaCry could happen? 

Chase Snyder: That's a challenging question. I think that, globally, the scale of ransomware is currently much greater than WannaCry. Could an individual event at the scale of WannaCry occur? The way that ransomware is working is a little bit different now. It has been refined towards the profit motive. WannaCry was still fundamentally landing on devices, popping up a ransom note and demanding a little bit of bitcoin. Nowadays, there's a lot more hands-on keyboard activity where attackers are targeting specific organizations, they're spreading as widely as possible inside of those organizations and then they're detonating. And it's less about trying to extract a couple of hundred dollars' worth of bitcoin from individuals. The tactics have just changed. 

Chase Snyder: But if you think about the NotPetya event, or you think about other more recent events that have occurred, the amount of damage that such an event can do is still enormous and possibly much larger than WannaCry, even if the exact nature of the WannaCry event and the way that it spread and the breadth of organizations that it impacted isn't quite the same. So I would say, globally, the scale of ransomware is bigger and continues to get bigger. The nature of it is different, and defenders have to evolve. 

Dave Bittner: How would you describe the state of the art when it comes to defending against this sort of thing? I mean, the organizations who, you know, by any measure have all the right things in place, what does that look like? 

Chase Snyder: Yeah, fighting the current war on ransomware demands focusing on that network behavior inside of the environment. You still need to have all of that perimeter defense that will stop a large percentage of less sophisticated attackers from getting in. But for a state-of-the-art defense, you need to be watching internally for that stealthy, low-and-slow behavior, the attackers that are actively evading defenses, they're deleting activity logs. They're watching out for endpoint agents and actively avoiding those endpoints as they escalate domains, conduct internal reconnaissance and access as many devices as possible inside of the environment. 

Chase Snyder: The network is the supply line for this type of attacker, so you need to cut off the supply line - the way that they spread their access, and the way they ultimately spread the software, the ransomware - in order to stop them. And I think that's what the state of the art in defense looks like right now is you still have all of those perimeter defenses to cut out the lower sophistication attackers, but you really need to take back the advantage on the network. That's your home turf, and you need to observe and control it to stop the spread of ransomware and to control those supply lines being exploited by the attackers. 

Dave Bittner: Is it possible or even realistic to imagine a future where this is a solved problem? 

Chase Snyder: It's difficult to picture; isn't it, Dave? 

Dave Bittner: Yeah. 

Chase Snyder: I think that the profit motive, the existence of these ransomware as a service organizations and these more and more sophisticated attackers - the fact that they continue to make money makes it very difficult for me to picture a world where ransomware is a solved problem. I think that there will be, for the foreseeable future, a continued escalation of attackers innovating and develop new tactics and defenders having to innovate and develop new tactics as well. 

Dave Bittner: That's Chase Snyder from ExtraHop. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, it's great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: A fascinating story came by. This is from Forbes, written by Thomas Brewster. And it's titled, "Warrants Can Force Google to Look Through Your Search History - A Tragic Arson Case May Decide If That’s Constitutional." What's going on here, Ben? 

Ben Yelin: This is really a fascinating case. It emanates from an incident in 2020 in the state of Colorado where a house was set on fire. Police found a family inside. They were able to rescue that family, but I believe five individuals who were unable to escape the building died. So we're talking about a very serious crime of arson. Police only had grainy images of the potential perpetrators. They had no information to go on. 

Ben Yelin: So they went to Google to ask for what's called a keyword warrant. Basically, they were asking Google to identify any users who had searched for this particular address within a particular time period - so over the past several days. And they found several people. One of them ended up testifying to law enforcement that he committed the arson. He confessed that he did it because he thought somebody had stolen his iPhone. 

Dave Bittner: And to be clear, he said that he had accidentally set the house on fire, and that just - comment as you do. 

Ben Yelin: Right. 

Dave Bittner: And... 

Ben Yelin: Whoop. 

Dave Bittner: But he pled not guilty, and, you know, so guilty - or innocent until proven guilty. 

Ben Yelin: Innocent until proven guilty. 

Dave Bittner: Right. 

Ben Yelin: Absolutely. 

Dave Bittner: Right. 

Ben Yelin: And they identified a couple of other individuals who have denied any involvement. 

Dave Bittner: Yeah. 

Ben Yelin: It's not, frankly, a very persuasive type of evidence because there are a lot of different reasons why people could be searching a particular property. And that brings us to the civil liberties issues involved. So a bunch of stakeholders, including the Electronic Frontier Foundation, other privacy and civil liberties groups to an effort led by the National Association of Criminal Defense Lawyers is challenging the practice in court of seeking these keyword warrants. So this presents very difficult Fourth Amendment and First Amendment issues. From the Fourth Amendment perspective, unlike traditional warrants, there is nothing particularized about what law enforcement is requesting. They don't have any individualized suspicion that somebody has committed a crime. 

Ben Yelin: This is a real dragnet. I mean, you're dragging in potentially hundreds of innocent people who just happened to type something incorrect into a - or something incriminating into a search bar. So that would end up capturing a lot of the online activity of completely innocent people. Then, from a First Amendment perspective, there's concern about the so-called chilling effect where people would be afraid to engage in common online behavior lest Google could access all of those search terms. So all of us search things on Google that are seemingly not suspicious. 

Dave Bittner: Right. 

Ben Yelin: But we do so because we're curious, maybe for our job, maybe to do research. If all of those were discoverable, if the government were able to obtain a keyword warrant like this, then we might be less prone to doing these types of searches. And that would be a real chilling effect on First Amendment activity. These organizations are challenging this keyword warrant in Colorado state court, which means that if the Colorado state court agrees with these civil liberties groups, potentially even the person who has confessed to being a participant in this arson is going to be set free. So that's, obviously, an outcome that I think a lot of people would rather avoid. 

Dave Bittner: Yeah. 

Ben Yelin: What the civil liberties groups would say is this is about a greater principle. It's protecting the privacy of our online communications, particularly in an era where we're so wed to our devices and about not allowing for these overbroad search warrants where you have no particularized suspicion. You have no indication that any particular person has done something wrong. You're just engaging in a dragnet to get as much data as possible on an individual search term. 

Dave Bittner: Yeah. 

Ben Yelin: We've seen that for things like geofence warrants, where you try and get all of the users that were in a particular location at a particular time. That's kind of overbroad as well, and there have been a lot of legal challenges to geofence warrants. I think this is going to be the next frontier in Fourth Amendment jurisprudence. The Fourth Amendment's drafting was about avoiding so-called general warrants... 

Dave Bittner: Yeah. 

Ben Yelin: ...Where law enforcement in, you know, our - among our British legal ancestors would just go into somebody's house and try and search for something incriminating. That was offensive to our Founding Fathers. That's why we have a Fourth Amendment. It says it has to be a warrant issued by a neutral magistrate, and it has to be based on probable cause. These are not exactly general warrants, but they seem kind of oddly familiar to general warrants. 

Dave Bittner: Well, they quote Mike Price, who is counsel at the National Association of Criminal Defense Lawyers. He says, no other warrant could authorize the search of every house in America, and no warrant should be able to compel a search of everyone's Google search query. 

Ben Yelin: Right. So that might seem overbroad, but it is kind of a slippery slope. In this particular case, they're just looking for people who searched that address. 

Dave Bittner: Right. 

Ben Yelin: But we have talked about it on a previous episode of this show and on our podcast "Caveat," which you should listen to, that after the Supreme Court decision overturning Roe v. Wade, there might be vulnerable individuals searching for abortion clinics on Google or on another platform. And in some states, even that type of activity might be criminalized. So in that case, you might be encapsulating more than just a few individuals who searched a particular address on a certain night. The slippery slope could be a keyword warrant for something that is broader and something that's searched at greater frequency that ends up encapsulating a lot of individuals. And that comes even closer to this offensive concept of a general warrant. I think that's what Mr. Price was getting at here and why there's so much concern with these types of keyword warrants. 

Dave Bittner: Any sense for where we might be headed with keyword warrants? Is this something - is this on a collision course with the Supreme Court? Or where do we stand right now? 

Ben Yelin: I think it's a little preliminary to go there. This is simply going to be adjudicated in Colorado state court. There have been a handful of cases across the country in state courts about these types of warrants, but I don't think we're as close to a Supreme Court resolution as we are on, say, compelled decryption, which we've talked about, or even geofence warrants. 

Dave Bittner: OK. 

Ben Yelin: I think we're in somewhat of an infancy stage here. But I think it's worth us keeping track of how courts decide these cases, whether they think that these warrants are overbroad or whether they think that by typing something into a search bar, you are relinquishing your expectation of privacy. So I'm curious as to how the Colorado state court is going to see this, whether there are disagreements among state courts or if this makes its way into federal court. And then, way down the line, if there is disagreement among circuits or among states, then that might be ripe for review at the Supreme Court. So I do think it's a little early, but I think it's certainly possible that it could end up there. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called "Security, Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.