The CyberWire Daily Podcast 8.15.22
Ep 1641 | 8.15.22

Shuckworm and Killnet continue to hack in the interest of Russia. Iron Tiger's supply chain campaign. TikTok and national security. And an arrest in the case of the Tornado Cash crypto mixer.


Dave Bittner: Shuckworm maintains its focus on Ukrainian targets. Killnet's DDoS and dubious proof-of-work. Iron Tiger's supply chain campaign. TikTok and national security. Dinah Davis from Arctic Wolf shares insights on Dark Utilities. Rick Howard digs into identity management. And an arrest in the case of the Tornado Cash crypto mixer.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 15, 2022. 

Shuckworm maintains its focus on Ukrainian targets.

Dave Bittner: The Symantec Threat Hunter Team, part of Broadcom Software, this morning released a report on the activities of Shuckworm, a Russian state threat actor. The payload in its most recent operation, which Symantec has been tracking since the 15 of July, is an information stealer. The researchers describe the infection vector, saying, the first suspicious activity Symantec saw on victim systems was a self-extracting 7-Zip file, which was downloaded via the system's default browser. Subsequently, mshta.exe downloaded an XML file, which was likely masquerading as an HTML application file. These files were downloaded from a domain known to be associated with Shuckworm activity. The malicious domain has been seen before, appearing as it did in an email that pretended to be from the Security Service of Ukraine and whose phishbait was, according to CERT-UA, a subject line containing intelligence bulletin. A Trend Micro report observes, this being the case, it is most likely the 7-Zip file seen on victim networks in the campaign observed by Symantec was delivered to victims via email. 

Dave Bittner: Also known as Gamaredon, Armageddon, ACTINIUM or Primitive Bear, BleepingComputer last November reported that Ukraine's SSU had connected the group Symantec calls Shuckworm with a unit of Russia's FSB operating from Crimea. The Symantec Threat Hunter Team's overall picture of Shuckworm sees it as making up in persistence what it lacks in tactical sophistication. They say, as the Russian invasion of Ukraine approaches the six-month mark, Shuckworm's longtime focus on the country appears to be continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure does not deter the group from its activities. While Shuckworm is not necessarily the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. The report includes a list of indicators of compromise. And what's your secret, Shuckworm? Well, like Crazy Eddie's, it seems to be volume. 

Killnet's DDoS and dubious proof-of-work.

Dave Bittner: Tagesspiegel reports that websites belonging to Latvia's parliament came under a distributed denial-of-service attack last Thursday. Killnet claimed responsibility, and the nuisance-level attack is certainly directed in the nominally hacktivist Russian front group's wheelhouse. The attack, which largely fizzled, was a comment on Latvia's vote to designate Russia a terrorist state for its aggression and war crimes in Ukraine. Killnet's own designation of Lockheed Martin as a terrorist organization has been followed by the group's claims that the American manufacturer of HIMARS rocket artillery systems has been successfully subjected to a ransomware attack that exfiltrated data on company personnel. Killnet has published a video they say proves they've got the data. But SecurityWeek Friday reported continuing assessments, most recently by Searchlight Security, that this is an empty claim. They say, cross-referencing a sample of the data, it does appear that they are or were genuine Lockheed employees. However, that does not necessarily confirm that the company was breached. For example, this could be a rehash of old or open-source data in an attempt to undermine the organization and intimidate its employees. So Killnet seems to be shining on, at least as far as Lockheed Martin is concerned. It's really kind of sad. If you can't trust a Russian intelligence front group, who can you trust nowadays? 

Iron Tiger's supply chain campaign.

Dave Bittner: Trend Micro reported Friday that Iron Tiger, a state-run threat actor associated with China and also known as APT27 emissary, Emissary Panda, Bronze Union and Luckymouse, has compromised the MiMi chat app with a view to attacking Mac OS systems - the first time that this particular targeting has been used by the group. The researchers say, we noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack. Further investigations showed that MiMi chat installers had been compromised to download and install HyperBro samples for the Windows platform and rshell samples for the macOS platform. While this was not the first time the technique was used, this latest development shows Iron Tiger's interest in compromising victims using the three major platforms - Windows, Linux and macOS. 

Dave Bittner: MiMi - which, according to Trend Micro, means secret - is designed for Chinese users, who represent the greater part of its clientele. Trend Micro found in the course of its investigation that, in this instance, Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack. The targets of the campaign were in Taiwan and the Philippines. 

TikTok and national security.

Dave Bittner: TikTok has, since the previous U.S. administration, been regarded in Washington as a potential security threat. It still is, and if anything, the New York Times reports, concerns about the social medium are growing. The issue is the app's potential for sharing data with Chinese intelligence services. The Times writes, the bipartisan scrutiny of TikTok - effectively at its most intense since Mr. Trump tried to force the app’s sale to an American buyer in 2020 - is mounting as the platform grows ever more popular. With more than 1 billion users, TikTok has become a prime engine for cultural phenomena, like the scores of young people who posted last month about dressing in suits to see the latest "Minions" movie. Today, 67% of 13- to 17-year-olds in the United States use the app, according to a report last week from the Pew Research Center

Dave Bittner: For its part, TikTok says its data collection is modest - certainly nothing like the collection done by competing social media. But congressional leaders in both parties aren't mollified. The present U.S. administration sees the problem with TikTok as an instance of a larger problem with social media, and it would seek to address the more comprehensive issue as opposed to that presented by a single platform. There's a growing bipartisan sense in Congress, however, that the administration is moving too slowly on the matter. The deliberate pace of regulation is in part driven by U.S. court decisions, which ruled against President Trump's executive orders restricting TikTok and another Chinese-owned app, WeChat. President Biden accordingly pulled back both directives. 

Dave Bittner: CSO polled security experts and came up with three ways data collected by TikTok could be put to malign use by Chinese intelligence services. First, it could be used to prepare target profiles of individual users. Second, it could be used to develop more effective spear phishing campaigns, and those could easily serve intellectual property theft. Finally, the data could be used for more precisely focused influence operations, delivered with a rifle shot accuracy marketers could only envy. 

Amsterdam arrest connected to alleged Tornado Cash money laundering.

Dave Bittner: And finally, police in the Netherlands have announced that they've made an arrest in connection with concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash. The specific issue seems to involve handling funds stolen on behalf of Pyongyang. The Netherlands' Financial Advanced Cyber Team - that is, FACT - suspects that Tornado Cash has been used to conceal large-scale criminal money flows, including from online thefts of cryptocurrencies, so-called crypto hacks and scams. These included funds stolen through hacks by a group believed to be associated with North Korea. Whatever it was up to, Tornado Cash has passed a lot of altcoin through its channels. Since the service opened in 2019, FACT says the service has since achieved a turnover of at least $7 billion, at least a billion dollars' worth of which was of criminal origin. 

Dave Bittner: The arrest came Wednesday, two days after the U.S. placed Tornado Cash on a list of sanctioned entities. The Netherlands authorities didn't identify the person arrested beyond calling him a 29-year-old man in Amsterdam. But according to the Block, the 29-year-old guy's wife has identified him as Alexey Pertsev. She's standing by her man, saying she's shocked at the arrest and is consulting with attorneys. My husband didn't do anything illegal, she said. Presumably, Mr. Pertsev will soon enough have his day in court. 

Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always a pleasure. 

Rick Howard: Hey, Dave. 

Dave Bittner: So I have noticed a pattern in your "CSO Perspective" episodes of late. It seems to me... 

Rick Howard: (Laughter). 

Dave Bittner: Well, as a regular listener, dare I say a fan boy of the show, it seems to me that you are spending a lot of time talking about identity and specifically how we manage identity in our own environments, both at home and at work. Am I right that this seems to be a pattern, a bit of an area of focus for you, or am I just seeing things? 

Rick Howard: Oh, no, Dave, you're on to me, OK? It looks like I have been found out. 


Dave Bittner: Uh-huh. 

Rick Howard: Uh-huh. So what I've been slowly realizing over these past couple of years is that most of us consider that orchestrating the security stack for our own digital environments and all that entailed - you know, from people processing technology - that's the task that we spend the most of the time with, you know, and as well we should. But if we have any hope of deploying some kind of zero-trust program - which you know I'm a big advocate for - but before you even start, you have to get a robust identity and access management system in place because if you don't know who is connecting to your material systems or what devices or what applications are, you can't build any zero-trust rules to limit access. You can't create an identity governance and administration committee, or IGA as the cool kids say, unless you know those things, right? So... 

Dave Bittner: Yeah. 

Rick Howard: But once you do, you can then start to tackle one of the most complex problems in identity and access management, which is privileged identity management or PIM. You know, and that's the one thing about this identity management stuff - it's chock-full of acronyms. 

Dave Bittner: Yeah. 

Rick Howard: But how do you manage the employee accounts, their devices and any critical software apps that require some sort of elevated privilege to run in your environment, but to reduce the potential impact if they are hacked? So for this week's "CSO Perspectives" episode over on the subscription side on the CyberWire Network, we're talking about PIM and the things you should consider as you're setting up your program. 

Dave Bittner: All right. Well, that is over on the pro side. On the free side, for "CSO Perspectives" public, you are rolling out the idea of adversary playbooks. 

Rick Howard: Yeah, this is one of my pet peeves, Dave, for the cybersecurity industry, in that many of us don't really know what it means when you read an article in the press that says something like "Emissary Panda Breeds Networks via Zoho and Exchange Servers," you know? Some people think that Emissary Panda is a group of Chinese nation-state actors, and that might be the case. But in the commercial world where we don't have access to classified government intelligence, Emissary Panda is a colorful name that we attach to observable hacker attack sequences using the MITRE ATT&CK Framework to standardize on the operational language. So in other words, we've seen these sequences in the wild. I call these things adversary playbooks, and we study them so that we can insert prevention and detection controls into our already deployed security stack. So in this "CSO Perspectives" public episode, we talk about how to do that in your own organizations. 

Dave Bittner: All right. Well, before I let you go, what is the word of the week on your "Word Notes" podcast? 

Rick Howard: This week's word is homograph phishing, and I kind of like just saying that out loud. All right, it's a... 


Rick Howard: So it's the technique... 

Dave Bittner: Rolls trippingly off the tongue? 

Rick Howard: Yes, it does, all right? It should be a musical on Broadway any day now. I'm sure. 

Dave Bittner: (Laughter). 

Rick Howard: So it's that technique where hackers use similar-looking letters in a URL, like the number zero and the letter O, to trick you into clicking that bad link. And we even tie this idea back to the "Mission Impossible" TV and movie franchise, so how great is that? 

Dave Bittner: All right, we'll look forward to all of it. Rick Howard is the CyberWire's chief security officer, our chief analyst. But more important than any of that, he is the host of the "CSO Perspectives" podcast. You can find out all about that on our website, Rick, thanks for joining us. 

Rick Howard: Thanks, Dave. 

Dave Bittner: And joining me once again is Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, it is always great to welcome you back to the show. I know there is some research that you wanted to bring our attention to today. Can you share - so what caught your eye? 

Dinah Davis: Yeah, it was this interesting article about a ransomware-as-a-service group called Dark Utilities, and they've gone, like, full-on marketing - like, they're a completely legit business. They've got this, like, beautiful website and, you know, they've got lines like, simple injection - it's very easy to use - EXE the file or the command on the server, and here we go. Or like, persistence - you don't need to start the script at every restart. It will start automatically - you know, like, just making sure it's going to work really well for them. Or, like, their little crypto mining bit here - you can use all your connected servers for mining XMR by putting your wallet in the config - so, like, just, like, really trying to sell it, like, this is so easy, this is so great. 

Dave Bittner: Right. 

Dinah Davis: So this is a bit of a problem (laughter). 

Dave Bittner: How much would you expect to pay for this malware? Don't answer, because there's more. 

Dinah Davis: Right, and you know what - how much you would pay? Ten euros - 10 euros for access to this - that's it. So they're, like - that's kind of crazy, right? They're going - they're lowballing the market, right? And the research - the article said that as of August 4, the platform had over 3,000 users. So that's $30,000 right there... 

Dave Bittner: Right, right. 

Dinah Davis: ...For this group, right? 

Dave Bittner: We should point out that this research comes from the folks over at Cisco Talos, who always do good work over there. What other stuff caught your eye here? 

Dinah Davis: Yeah, so it offers remote system access and DDoS capabilities as well as crypto mining. And they also have very, like, active Discord and Telegram communities. So they've got, you know, help and all of that. And it supports Windows, Linux and Python-based tools. So that means you can get into multiple architectures. So it's very interesting. I mean, the good news is here - researchers can get accounts, too, which is obviously what they've done to check it out. I don't think any of the tools are that crazy. Like, these are tools that, you know, have been around, but they're just offering them with instructions and support in such a way that it's going to make it easy for kind of, like, anybody to try and go at this. 

Dave Bittner: So really lowering the bar here on the level of technical sophistication you have to get into this business? 

Dinah Davis: Yes, that's exactly it, right? So you don't need to be very savvy to be able to start using this 'cause they have all the support that comes with it. 

Dave Bittner: Are there any recommendations here for organizations to protect themselves against this sort of thing? 

Dinah Davis: Yeah, so they - researchers have already started to recognize the file signatures. So, you know, making sure all of your security stuff is up to date, making sure all your systems are up to date so that you are not vulnerable - again, it just goes back to, like, the same things we say all the time, right? Make sure all of your systems are up to date. Do your vulnerability patching. Use multi-factor authentication so that, you know, it's harder for people to get in, and train your employees, right? Make sure they've done awareness training - that they're aware of the things that they need to do. 

Dave Bittner: Yeah. All right. Well, it's interesting for sure. Again, this is from the folks over at Cisco Talos. And this utility is called Dark Utilities. Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Hah! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks," where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.