The CyberWire Daily Podcast 4.17.23
Ep 1803 | 4.17.23

Developments in the Discord Papers, including notes on influencers and why they seek influence. Tax season scams. KillNet’s selling, but is anyone buying?


Dave Bittner: The alleged Discord Papers leaker has been charged. We look at how the Papers spread online. A life lived online as a security risk. US tax season scams, at the 11th filing hour. Caleb Barlow from Cylete on the layoffs in security that many thought would never happen. Maria Varmazis and Brandon Karpf share the launch of the new space podcast, T-Minus. And KillNet says it's open for business.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 17, 2023.

The alleged Discord Papers leaker has been charged.

Dave Bittner: The alleged Discord Papers leaker has been charged. Jack Teixeira appeared Friday in federal court in Boston to face charges under the Espionage Act. The AP reports that he's accused of two counts of unauthorized retention and transmission of classified national defense information. He did not enter a plea, but a federal magistrate judge ordered him jailed until a detention hearing next week. The motivation of the alleged leaker was, by all accounts, not ideological, but simply a desire to show off in the disinhibited online world. Mr. Teixeira was evidently a leader and influencer within his small Discord circle. And the Washington Post cites a friend of Mr. Teixeira's who knew something of his online followers as explaining his alleged motive stating. "As wanting to share and show off the secrets he knew to a small circle of online friends who bonded over video games."

A life lived online as a security risk.

Dave Bittner: Foreign Policy has a reflective essay on the role social media have come to play in espionage. The authors Jonathan Askonas, assistant professor of politics at the Catholic University of America. And Renee DiRestra, a technical research manager at the Stanford Internet Observatory. Describe the mindset of a leaker. Stating, "The likely motivations of the leaker are impossible to understand without digging into the deepest layers of internet culture. This leak is not a strange one-off but a harbinger of a future where secret statecraft meets an online world. In which, for many people, the virtual is replacing the physical as a source of companionship, camaraderie, and social clout. This online world is fast replacing traditional espionage as a source of intelligence leaks. A shift that has profound implications for the future of spycraft, especially counterintelligence."

Dave Bittner: Online relationships can combine both a much sought intimacy and a sense of safety of being at least one layer away from the direct risks of personal contact. That sense of safety is of course misplaced, but it comes very easily. And the transactional nature of online relationships, which amount to a gift economy, also tempts people to share secrets better left unshared. Askonas and DiRestra write, " Internet communities operate as gift economies where ones status is largely determined by the valuable content one brings to the community. Spicy memes, obscure videos, interesting links or secrets. Any organization considering insider risks might take the picture the SA offers to heart."

Dave Bittner: Many of the online communities people find so engrossing, like those hosted by Discord itself, are formed of gamers. And this hasn't gone unnoticed by military and intelligence services themselves. The US Department of Defense has sought to use Discord as a recruiting resource for example, the Washington Post reports, much as earlier recruiting campaigns had used television ads and high school visits to connect with potential recruits. And hostile intelligence services haven't been a slow study either. Games Industry quotes, "Microsoft President Brant Smith is commenting that the company's researchers have observed Russian services spending more time and effort to penetrate, compromise and manipulate online gaming communities for espionage and influence operations."

How the Discord Papers' spread online.

Dave Bittner: The Discord Papers apparently spread with the help of another online fantasist, the self-styled "Donbas Devushka", a Donbas Girl, who claimed to be from Luhansk. In some personae she gave her first name as Mila, but in fact according to the Wall Street Journal, is allegedly one Sarah Bills, a 37-year-old from Vorhees, New Jersey, a US Navy veteran who now lives in the Pacific Northwest. Donbas Devushka has for some time blogged and podcast pro-Russian memes and topics. The podcasts are said to have been delivered in an implausible, Ensign-Chekhov-style Russian accent. She collected and reposted much of the stuff that was circulating in the Thug Shaker Central Discord channel. Her motives appear to be the increasingly familiar desire for influence and place in the online social world.

US tax season scams, at the 11th hour.

Dave Bittner: So fellow Americans, did you file your income tax returns two days ago on April 15th? Ah-ha, just kidding. That wasn't the deadline this year. Tuesday, April 18th is the day on which US income tax returns are due this year.

The traditional April 15th deadline for filing falling as it did on a weekend and Emancipation Days observance on Monday, pushed the filing deadline back an additional day. Tax season is usually an occasion for a wide range of fraud. Combining as it does fear and greed, emotions that tend to cloud the judgment and render people vulnerable to scams.

Dave Bittner: This year a number of such scams however have been targeted at victims who normally have greater detachment than the harried and baffled taxpayers themselves. Sophos Researchers Report that, criminals on the eve of the US tax filing deadline are conducting spearfishing campaigns against tax professionals themselves. Sophos writes, "Financial accountant firms and CPAs are in the crosshairs this tax season. As a threat actor is targeting that industry with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader." GuLoader is an unusually evasive shellcode-based downloader that can be used to infect compromised victims with follow-on attacks.

Dave Bittner: The use of password-protected zip files has been noticed for over a month. Securonix began publishing research into this particular as early as March. When they identified a campaign of hyper-targeted phishing emails they tracked as tactical octopus. The bundling of the malicious phish hook in a password-protected zip file has proceeded in distinct stages. After the criminals initiate contact, they induce an initial infection. A PowerShell one liner command that downloads the visual basic file. The next phase is VBS file execution, which in turn enables PowerShell execution. At which point they've achieved access to the victims system.

Dave Bittner: It's a clever campaign. Securonix says, that attribution is ambiguous, but that circumstantial evidence points to a Russian threat actor. They say, "Two of three IP addresses identified in the attack were registered to Petersburg Internet Network Limited in the Russian Federation. This could indicate Russian origins, however the possibility of false flag operations cannot be ruled out at this point." According to Microsoft, in most cases the scammers are installing the Remcose remote access trojan. Remcose, developed in 2016 and in malicious use since shortly after its introduction. Enables the attacker to gain administrative privileges in Windows systems. Microsoft writes, "Successful delivery of a Remcose payload could provide an attacker the opportunity to take control of the target device to steal information and/or move laterally through the target network." So a spare thought for your local tax professional. They work under challenging circumstances and by that we mean a lot more than the challenges of reading all those sales slips you give them for professional expenses and all those oddball hand written notes for charitable contributions.

The business side of KillNet.

Dave Bittner: And to return to online activity in Russia's hybrid war we close with a bit of news about KillNet, the Russian hacktivist auxiliary. An advertisement on KillNet's Telegram channel is offering gigabytes of NATO Documents. The ones they show are training PowerPoint presentations at the lowest classification. They want three Bitcoin for the documents, which at yesterday's exchange rates about $91,000. That's almost what a newly promoted US Air Force colonel makes in a year's base pay. Apparently the leaks aren't selling at that price, so KillNet has knocked down its ask and repackaged its merchandise. But "Caveat" emptor friend, think about it, it's training, PowerPoint, slides. But as KillNet might say, hop to it, world. Or not. We'll pass.

Dave Bittner: Coming up after the break Caleb Barlow from Cylete on the layoffs in security that many thought would never happen. Maria Varmazis and Brandon Karpf share the launch of the new space podcast, T-Minus. Stay with us.

Dave Bittner: And it is my pleasure to welcome to the show a couple of members of the CyberWire team, or perhaps I should say, the N2K Networks team. Maria Varmazis is our space correspondent and Brandon Karpf is the executive director of our new markets. Maria we have some exciting news to share here with our CyberWire listeners who are familiar with you from being our space correspondent. But, you're branching out on your own here now.

Maria Varmazis: I am I'm striking out into the final frontier.

Dave Bittner: Love it. Well tell us about the show.

Maria Varmazis: Yeah. I am now, I am the new host of our new show called T-Minus, the Daily Space podcast for space professionals.

Dave Bittner: Well let's dig into some of the details here. I mean, why this show? And why now?

Maria Varmazis: Well we are in what's often called the new space era. So, if our listeners are familiar with all the satellites going up into space courtesy of folks like Space-X, we've got so much going on in the space industry. Thousands of new satellites, lots of development happening across commercial sectors and government sectors and the military. Lots of incredible developments happening and happening extremely quickly. So we thought that it was time for us to help the professionals out there who are working in this field, whether they're private or public sector. And give them the daily news that they need to stay on top of the very fast changing developments in their world. And that's exactly what we're doing with T-Minus.

Dave Bittner: And Brandon, can we speak to the launch of this podcast from the bigger picture, where it fits into N2K Networks.

Brandon Karpf: Yeah, sure. So this is always really been the plan for our larger company, which is to find these industries that are, that have a professionalized workforce. A set of people who work in the industry who they're not lawyers, they're cyber security lawyers, they're not CEOs, they're cybersecurity CEOs. And find that industry that is characterized by having a workforce that needs to stay in the know. And stay up to speed with a rapidly and relentlessly changing information environment. And what we find in the space industry is, it's exactly that. It has a professionalized workforce, they have engineers, CEOs, policy people and lawyers, accountants and marketing folks, all who are focused on this industry, which is, as Maria said the new space era. And at the same time you see tremendous investments, thousands of companies coming online, a rapidly changing technology ecosystem that's really hard to stay on top of. And what we're doing at N2K Network is we're focusing on those industries characterized by those two dynamics. And we're breaking it down just to make it easier to stay in the know. And delivering you as that professional the information you need to know every single day. To stay on top of things. And to continue to develop as a professional in that field. So that's our focus at N2K Networks more broadly. And here we are doing this for the first new industry since cyber. Which is the space industry.

Dave Bittner: Maria I know lots of our listeners are familiar with you from your appearances on our show, also on Smashing Security in the cyber realm. Can you give us a little bit of information or your background when it comes to space?

Maria Varmazis: Mainly an enthusiast to be honest with you. I wanted to be an astronomer growing up so I studied a lot of the physics, the very basic physics for astronomy. Went to engineering school, some people know my story I did two years of that and then left after a while. But basically cybersecurity has been my focus for a good while, so I am pivoting into space and I'm very upfront about that. I'm new and I'm learning about the space industry as I go and I'm hoping to take listeners on that journey with me. Now I've been doing this for a couple of months now, actually more like half a year now come to think of it. So I'm not completely green. But it's been an amazing journey of learning for me and I've got to say folks in the space industry are extremely generous with what they are happy to share. And that way it actually reminds of the cybersecurity industry, people are really happy to share their expertise and just, they're like, hey, you are interested this, I'll teach you all about it. Come on in and I'll show you the ropes so. It's been fantastic. And there's actually a lot of cybersecurity overlap in the space industry, which has been awesome, so that's been a kind of nice on-ramp for me as well.

Dave Bittner: Oh and Brandon and that was going to be my next question for you is, is can we expect to see some synergy between these two efforts, the cyber and space as Maria says, certainly a lot of crossover there.

Brandon Karpf: Most definitely. These are two very close industries. When you think about the space architecture and the technology, everything is connected through the radio frequency, everything has communication protocols, there's encryption considerations, you have the space segment, the things in orbit that have security considerations, software and hardware. You have the ground segment. The systems on the ground receiving communications and transmitting communications that have security considerations. And then you have the link segment in between the two. Again, thinking about a whole host of cybersecurity topics. So, cybersecurity is definitely going to be a topic that we cover regularly, especially considering where we come from as N2K Networks and born from CyberWire. So that's definitely one of the core topics that we will cover regularly. And then there will be more. You know, we'll be discussing satellite technology, launch services, human space flight, military space, business and investing and a lot more. So we're covering the entire industry as well. But it's a fascinating technical space.

Dave Bittner: Well as an amateur lifetime space nerd myself I'm excited for the launch of this show. It's called T-Minus. Maria where's the best place for folks to find it?

Maria Varmazis: Anyplace where find podcasts are pervade. So if you're a Spotify or Apple fan, it's fine we're there too. So we're everywhere, so just look for us T-Minus Space Daily and you'll find us.

Dave Bittner: Alright, Maria Varmazis is the host of T-Minus, a new podcast from N2K Networks. And Brandon Karpf is executive director of new markets for N2K Networks. Thanks so much both of you for joining us.

Maria Varmazis: Thanks Dave.

Brandon Karpf: Thanks Dave.

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow, he is the founder and CEO at Cylete. Caleb it is great to have you back. We are seeing something right now that I think many of us wondered if we would ever see in cybersecurity and that's broad layoffs. Many of the big companies, well I say companies big and small are cutting back on staffing. What's your perspective here?

Caleb Barlow: Well I mean, hey folks, we're not all that special anymore. We're in with everybody else and guess what the economy's slowing down and we're seeing security professionals laid off really in mass numbers for the first time. So, let's talk a little bit about if this happens to you and by the way it can happen to anybody. I mean.

Dave Bittner: Yeah.

Caleb Barlow: If you're in a career long enough, I'd had to lay plenty of people off and I've been laid off before. It's, let's first acknowledge the first thing, it sucks. But.

Dave Bittner: Yeah.

Caleb Barlow: Now that it's happened, let's muscle up and let's get through it and, you know, I think the first piece of advice here is, try to spend a couple of days and only a couple of days understanding why. You know. What is it that maybe about you, or about your job, or about what you were doing, put you in that target zone, just so it doesn't happen again? And you're probably not going to get that feedback from your immediate manager because, well, you know, they have to be very cautious about what they say once they are, laid somebody off. Because obviously they're worried about legal repercussions. But, reach out to your peers, reach out to your colleagues, you know, maybe there's some learning moments there either for you or in your job search for what types of jobs or functions you want to do. Or what types of companies you want to work for in the future.

Dave Bittner: Is it worth noting that sometimes, especially when you have big numbers like this that they're always isn't a rational why? Sometimes you just get caught up in the numbers?

Caleb Barlow: One hundred percent. And, you know, again, this can happen to anybody. And even when it's performance related, like, I'll tell you some of the best people I have ever hired, have had horrible performance at other companies. You know, sometimes it's just the right person cast in the wrong role. And that's okay. The important thing is, can you acknowledge that, can you kind of learn from that and make sure you don't get in that situation again.

Dave Bittner: I see.

Caleb Barlow: The other thing that's really key here is, mental health matters and this is not going to be an easy journey. It's going to be hard, it's going to take a while. And you've got to prioritize your mental health and what that means to you through the journey. Right, it doesn't mean you spend 40 hours a week looking for a job. You know, you've got to give a little bit of time to yourself in this. And frankly leverage some of that down time to recharge. Otherwise you're just not going to end up in a good place.

Dave Bittner: I think part of the surprise here is that, for years now we've been saying there aren't enough people in cybersecurity, we're never going to catch-up. And so I think it's a little bit of a punch to the gut for a lot of folks to see that the people have been saying that for all these years. No layoffs can hit anybody.

Caleb Barlow: Well layoffs can hit anybody, I do think the positive way to look at this, is the odds of you finding a new job, finding potentially an even better job are very high relative to other careers, or other pursuits. So, you know, this isn't really so much that the industry is taking a hit, although the, you know, aggregate number of open jobs has dropped. I think this is more of an issue of, there are a lot of companies that were growth oriented, that got over their skis and now, whether it's venture capital, private equity or public companies, the expectation now is people are moving towards profitability. And sometimes that means, hey we've really overstaffed or we're overspending. And to be blunt, there are also cases particularly in the cybersecurity industry, where people have been spending lots of money on really dumb things that don't necessarily move the needle. And that heyday is over. Right? So, that's the other aspect of this. Now, I think one of the other big things to really recognize in this, and this is particularly true of LinkedIn, but you're going to see this in other job orgs as well. Is that these, you know, just like a, you know, we all heard about how particularly, you know, teenage girls are getting hit hard with kind of body shaming issues on Instagram and other social media sites during the pandemic, right?

Dave Bittner: Right.

Caleb Barlow: And this became an issue for mental health. The same thing can happen when you're job seeking, you know, kind of that job shaming if you will. A lot of what you're going to see out there are kind of the Brochaud's of people out at the, you know, the golf course with their buddies. Or, you know, or standing next to, you know, some notable in the cybersecurity field, or a government official, or whatever. You're also going to see what gets amplified on these sites is highly bias. Right? And, you know, it's bias towards, you know, remember recruiters are looking for certain demographics, marketers looking to push certain demographics. So these things naturally get repeated and amplified. Right? So, depending on where you fit in that, you may find, hey I just don't seem to get a whole lot of traction. It's not you. Recognize these sites are bias, that's okay, I mean that's just where you're going to have to operate. But, you know, you've got to be cognoscente of it enough because again, if you look at your own value as how many shares you get, or how many people are looking at what you post, that can get really depressing really quick. It's just not the case.

Dave Bittner: Yeah. I know there's that old saying about, be careful not to compare your own behind the scenes with someone else's highlights reel.

Caleb Barlow: Exactly. Right? And, you know, I mean to put a more pointed tip on this, right? We're an industry that is desperately looking to bring more women into the cybersecurity field and that's fantastic.

Dave Bittner: Yeah.

Caleb Barlow: But what that means is that, posts from let's say a technical female in the cybersecurity field are going to get significantly amplified. You know, on the other hand of this, you know, unfortunately, you know, we often look at people of Russian or Chinese descent as the enemy. So, you know, you might be a US citizen that just happens to have a Russian sounding name. It's going to be really difficult to get that kind of amplification on these sites because it's security professionals that are looking at it. Again, it sucks, it's unfortunate, it's bias, but it, be aware of it and there are lots of ways to kind of work around it. And, you know, be knowledgeable of it and be cognoscente of it.

Dave Bittner: Yeah. What are you recommendations here, given that this is our new reality? What do you think?

Caleb Barlow: Well first of all, again, mental health matters a lot. Recognize that a lot of job posts are bogus and excessively filtered. So, you know, it isn't so much about getting out there and applying to a gazillion jobs as it is leveraging your network. You know, get on the phone, talk to everybody you know. Because they may find out about a job opening that you might be perfect for a month down the road. You know, you should be prioritizing, talking to people. Versus posting and applying on job sites. Not that you don't want to do those other things. The other thing is don't be afraid of doing some free work. You know, if you find about somebody starting a company or doing something and maybe you have a skill that can help them out, dive in a bit. You know, you've got the time. Or for that matter, even sending unsolicited proposals to someone. On how you think you could improve what they're doing. Maybe you're a marketer and you've got an idea for a campaign that would be perfect for a company, drop the CEO an email. Prioritize person-to-person communications, I don't think you'd be laid off for long.

Dave Bittner: Alright. Well good insights as always. Caleb Barlow thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories check out our daily briefing at the Don't forget to check out the Grumpy Old Geeks podcast. Where I contribute to a regular segment called The Darkside with Dave. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. The CyberWire podcast is a production of N2K Networks. Proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.