The CyberWire Daily Podcast 11.8.23
Ep 1944 | 11.8.23

No major threats showed up in yesterday’s US elections, so now we can start thinking about the risk during the holidays.


Dave Bittner: CISA claims "No credible threats" to yesterday's US elections. Criminals seek to profit from the .ai top level domain. A Singapore resort sustains a cyberattack. A look ahead at holiday cyber threats. A major Chinese cyberespionage effort against Cambodia. The four cyber phases of a hybrid war. Robert M. Lee from Dragos explains how outside forces affect OT and critical infrastructure security. Our guest is Dan Neault (NALT) of Imperva sharing how organizations are behind the eight-ball when relying upon real-time analytics. Cyber and electronic threats to space systems.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, November 8, 2023.

"No credible threats" to yesterday's US elections: CISA.

Dave Bittner: We begin with a quick word about yesterday’s US off-year elections. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said yesterday that “We continue to see no specific or credible threats to election infrastructure.” So the cyberthreats against which election authorities prepared the voting seem to have for the most part been no-shows.

Criminals seek to profit from the .ai TLD.

Dave Bittner: Cybercriminals are increasingly registering .ai domains for use in phishing attacks, researchers at Netcraft warn. .ai is the country code top-level domain (ccTLD) for the British Overseas Territory of Anguilla, and is used by many legitimate companies associated with AI technology. Malicious use of the domain has spiked following the release of ChatGPT and other AI tools over the past year.

Dave Bittner: Netcraft explains, “The hype surrounding AI over the last few years perhaps explains why victims are ignoring long-established conventions of ‘avoiding unknown links’, and instead are willing to click on .ai URLs. In the past year, there have been numerous legitimate AI products created (mostly from new/generic brand names), which means victims are getting used to seeing (and clicking on) .ai brands and URLs. The increasing familiarity of seeing domains that end in .ai – coupled with a curiosity about AI fuelled by months of media speculation – makes the .ai ccTLD attractive for cybercriminals.”

Dave Bittner: It's profit from a pun. 

Dave Bittner: The researchers add, “It’s worth noting that .ai domains are much more expensive than other domains. A .ai domain costs around $60, compared to $10 for a .zip domain or a .com domain. We suspect that criminals believe that the implied ‘legitimacy’ of .ai domains is worth the extra cost, as there is a notable proportion of purpose-registered .ai sites (particularly for cryptocurrency investment scams).”

Dave Bittner: Sometimes ai is just a.i., not, y’know, AI. We think Freud said something like this about cigars. A question for all AI trainers–do artificial intelligences think that maybe they’re from Anguilla? It seems like the kind of hallucination they might experience.

Singapore resort sustains cyberattack.

Dave Bittner: Singapore’s Marina Bay Sands resort has disclosed a data breach that affected the personal information of 665,000 customers, CNA reports. The breached data belonged to non-casino rewards programme members, and included names, email addresses, mobile phone numbers, phone numbers, countries of residence, and membership numbers and tiers. The incident occurred on October 19th and 20th 2023. The company said in a statement, “We will be reaching out to Sands LifeStyle loyalty programme members and sincerely apologize for the inconvenience caused by this incident. We have reported it to the relevant authorities in Singapore and other countries where applicable and are working with them in their inquiries into the issue.”

Dave Bittner: The incident has attracted notice because of the obvious comparison it bears to October’s breaches at MGM Resorts and Caesars Entertainment. The obvious dissimilarity is that the attack on Marina Bay Sands apparently affected the non-casino side of the business.

A look ahead at holiday cyber threats.

Dave Bittner: We don’t want to contribute to holiday creep, but actually it’s probably worth thinking in advance about the risks that Thanksgiving, Chanukkah, Christmas, and the New Year will present those who do business online. 

Dave Bittner: Yesterday the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) issued its 2023 Holiday Season Cyber Threat Trends report. The report outlines the threat landscape for the retail and hospitality sectors during the holiday season, which is "typically the busiest time of year for consumer-facing industries." Credential harvesting, phishing, and imposter domains are expected to be the most common criminal tactics in cyberspace. 

Dave Bittner: RH-ISAC members report increased attention to the details of specific threats, closer engagement with customer service, and increased cooperation with other organizations in the sector as they prepare for the holiday season. They're seeing an increase in impostor websites, and they see smaller, "scrappier" criminal attempts as threat actors cope with defenses that have grown more alert and resourceful.

Dave Bittner: We’ll be hearing more from our colleagues at RH-ISAC in future podcasts.

A major Chinese cyberespionage effort against Cambodia.

Dave Bittner: Palo Alto Networks' Unit 42 has found two major Chinese APTs engaged in cyberespionage against Cambodia. They've hit at least twenty government and industry organizations in that country in what appears to be a long-term collection effort. Cambodia and China enjoy generally good diplomatic and economic relations, but that's irrelevant to China's choice of targets. Beijing's long-range goal is an enhanced naval presence in the waters off Southeast Asia, and the intelligence being gathered is designed to support that end. Friendly or not, Beijing wants those Cambodian port facilities.

Four cyber phases of a hybrid war.

Dave Bittner: Forcepoint analysts, looking at both Russia's war against Ukraine and the war unleashed by Hamas's assault on Israel, concluded that cyber operations in any hybrid war are likely to fall into four conceptually distinct, albeit temporally overlapping, phases:

  • "Phase 1: Increase in Scale and Impact of Attacks. In this initial phase, attacks increase in scope, evolving from hashtags to defacements and distributed denial-of-service (DDoS) attacks."

  • "Phase 2: Expanded Targeting and More Sophisticated Attacks. The emergence of state-linked proxy cyber threat actors typically bring about more sophisticated targeting strategies, including cyberterrorism."

  • "Phase 3: Ransomware Operations and False Flags. Ransomware groups and deceptive tactics become part of the cyber landscape, impacting virtual and physical infrastructures, as well as public perception."

  • "Phase 4: Coordination with Kinetic Operations. Cyberattacks are closely coordinated with kinetic operations, impacting not only virtual but also physical aspects of the armed conflict."

Dave Bittner: Of these four phases, the fourth has been least in evidence in both of the present wars. Wiper attacks have represented the closest approach to effective targeting coordinated with operations on the ground. Among these only the Russian attacks on Viasat networks in the opening hours of the invasion have had tactical effect, and even that effect was short-lived. Far more prominent have been the other three phases, and it's noteworthy that all of these involved deniable auxiliaries, false-flag operations, privateering, and co-opted criminal activity. None of these lend themselves to the sort of combined arms coordination historically seen with traditional electronic warfare.

Cyber and electronic threats to space systems.

Dave Bittner: The US Space Force sees the cybersecurity of space systems as crucial to mission capability. Via Satellite quotes Colonel Richard Kniseley, senior material leader of the Space Force’s Commercial Space Office, as saying, “The U.S. and our allied forces must now contend with growing threats from satellite link interceptions.” 

Dave Bittner: It's interesting that he sees the threat as representing a convergence of both electronic and cyber attack. “This results from advanced jamming techniques and illegal satellite uplinks. Our operations are hindered by compromised communication integrity and potential data breaches.” 

Dave Bittner: That convergence of electronic and cyber attack can be expected to continue.

Dave Bittner: Coming up after the break, Robert M Lee from Dragos explains how outside forces affect OT and critical infrastructure security. Our guest is Dan Neault from Imperva, sharing how organizations are behind the eight-ball when relying on real-time analytics. Stay with us. [ Music ] Dan Neault is senior vice president and general manager of data security at Imperva. I spoke with him about the challenges facing organizations when it comes to real-time analytics and the potential advantages of predictive analytics.

Dan Neault: In today's threat environment, a real-time alert to something that seems to be malicious, well, that isn't enough, and real time isn't even fast enough. And the trick here is that by the time something that is seemingly malicious is detected and a real-time alert is triggered, the attack is like happening, the barn door is open. And that puts security teams in a reactive position, scrambling to validate it and then scrambling to contain the attack. So while having real-time information is important -- I guess I'm going to say necessary -- it is probably not sufficient. You can't rely on reactive technology when you want to stop these advanced attackers. Instead, teams need to focus on predictive analytics that can ID the attackers before they get to the data and stop the incident before it even happens.

Dave Bittner: Well, help me understand here, when you say "predictive," are we searching for potential vulnerabilities here? What exactly is going on?

Dan Neault: Well, these activities that'll happen, they're not mysterious in the sense that cyber criminals today will come in, they'll disguise their signatures, they'll make it harder to identify what's happening, and then you have very limited time to react. And in the past, you might've had days or weeks, now you might have minutes. The time to respond to one of these attacks is measured now maybe in minutes. And in the past, it might've been days or weeks. And you have the limited time before it's just really too late to do anything, and then it's all mopping up. And it might even be a real-time alert, but somebody's looking at it. But what's possible now using modern technology is to be proactive and predictive. And, you know, in the olden days, like 10 years ago, you might've just used algorithms to take a look at things. But the modern way to do it is machine learning, the part of artificial intelligence that's machine learning.

Dave Bittner: So from a practical point of view, what does this mean to an organization? You know, for the folks who are responsible for security, how does this change their day-to-day?

Dan Neault: Let me give an example in the form of a metaphor and then I'll come back to how it could change the day-to-day. Visualize this like you would physical security. Let's pretend you're a bank. And let's say you have cameras in the back focused on the safe for the back office. Well, it might catch an intruder if you only have cameras there. That's a problem. But if you have cameras elsewhere, you'd see them sooner. If you had cameras, you could see them wandering around, saying, they, that person is doing a behavior that looks a little different; I haven't seen that behavior before. Or I have seen that kind of behavior and I know what it means. You might be able to look at them before they even enter the building and say, you know, something doesn't look right there. Now, stepping away from the metaphor, in today's world, data is king. And especially as the cost of storage goes way down, businesses are keeping more and more around. So using the physical security metaphor, you can't put cameras everywhere that you should. With all of this data being generated, it's impractical to do the discovery and classification on a subset of it instead of looking at all of the data. And what I mean by that is, if you consider protecting your valuable data from your invention, from your planning, your execution, you can monitor all of that data using machine learning that looks at the monitors of all that data, and then say, huh, I've never seen anything like that before; I've never seen that kind of an activity on the data. And sheer fact that it's different enough allows you first of all to baseline against a trained model that's established in other companies, but you can also just look at your own trained data. You can say, I've never had someone in that department do that kind of a search; I've never seen a search like that. And all of this happens well before any action could happen. So think of it as the camera outside the building or the camera in the lobby, not the camera on the safe.

Dave Bittner: So what are your recommendations then? I mean, for organizations who are intrigued by this and want to see if it's a good match for them, what's the best pathway?

Dan Neault: Well, what I would encourage organizations to do is to change the way they think about data protection. Rather than just look at the small subset of high-value known business-critical data, use AI and specifically machine learning tools to monitor user and app activity across the entire data environment. ML is ideal. So we're fortunate to have it, because it's all but limitless in scale. It doesn't get fatigued or distracted and always gets smarter. Because then it can establish a baseline of normal activity and at the same time highlight anything that goes outside that for high judgment people to take a look at. Because, in this way, we can have people do what people do best: design these systems and then be high judgment looking at the alerts. And then have the computers take a look statistically about, huh, this is different, not quite sure why this is different, but it's different. Human, go take a look at it and tell me if there's something going on, before the breach ever happens, or before the access even happens.

Dave Bittner: That's Dan Neault from Imperva. [ Music ] And it is always my pleasure to welcome back to the show Robert M Lee. He is the CEO at Dragos. Rob, I have been seeing a lot of these news stories about record-breaking heat waves, and that brought to mind the question of how that affects folks in the critical infrastructure world. When you have these outside forces, and perhaps to a degree that they have not seen these sorts of outside forces, how does that affect an approach to security?

Robert Lee: To a massive level, it impacts the facilities and those companies all kind of weave it into security. But even before we talk about security, we have extreme weather events, extreme cold or extreme hot, especially if it's continual for any amount of time, your operating parameters change. And those operating parameters can mean everything from, I can no longer operate -- like maybe I've got, you know, what we saw in Texas where there were certain facilities were so cold that they basically froze portions of their generating capability, or couldn't do like wind and solar to be able to generate the electricity that they need for the grid there. Or I might have such high heat that technically I could operate the gas turbine, as an example, but the heat exchange is going to be so insane that the price to actually operate it is just cost prohibitive, of I am no longer efficiently generating electricity there. Then you take it into other sectors. If it is so hot that the trucks can't get into the manufacturing bay or sit there on the tarmac of sorts, you know, the pavement, very long, because then the tires start melting against. You know, it's like just anything you can think of from logistics to generating electricity to the change of the physical environment has on the physics for how we're doing wastewater treatment facilities or the rate that a product will move through a pipeline, like all of these things can have huge impacts. And our asset owners and operators are very good about operating through weather events that they've been able to plan for. But ones that they're either not able to plan for or not allowed to resource against because it's such a far-off issue, then we shouldn't be surprised when our infrastructure sort of hits challenges. I think that's some of the irony about the Texas incident from the cold weather event they had and ERCOT and all that. There were some of those utilities that went to the Public Utilities Commission years before that and said, hey, we really need to winterize our generation equipment. And the Public Utility Commission was like, what are you talking about, it's Texas, it's warm, baby, whoo-hoo!

Dave Bittner: Right, right.

Dan Neault: And the utility is like, dude, look at like the NERC weather forecasting guidance, look at what the DOE is saying; like we could start having these extreme weather events and we need to take care of this. And they looked at it like, that's too expensive; it'll raise the rates of the utility bill. And people generally don't like to do that. So they said, you're being silly, let's not worry about it. And then it happens and they were like, electric utility, how could you let us down? And it's like they literally are publicly regulated, man, like they can't do what -- yeah. So anyways, it's just a complex -- I'm not saying everybody was like that, but there's definitely examples of it. So long story short, weather events can impact more often, anyways, our electric system and manufacturing environments and everything than anything else. And these extreme weather events are hard to plan for. I mean, it will ultimately mean making things much more costly. I mean, even just weather events in terms of having more fires. Now you're talking about fires in California and elsewhere, where that impacts the transmission lines. Or maybe you can't run that transmission line now because it's right in the middle of a forest fire. So huge impacts. Now, the security tie-in, I mean, anytime that you've got an operating window or anytime you've got an already overtaxed system, any additional complexities, downtime, etcetera, just exacerbates the issues, and in some cases may not even be recoverable in the ways that we want to. So I don't think that there's a bad guys strike more -- I don't think there's like a direct security tie-in of sorts. But I think it just elevates the necessity of security on these operational environments, especially that if we're already constrained, the last thing we need is additional disruption.

Dave Bittner: How do we encourage a culture of being proactive rather than reactive?

Dan Neault: Resourcing and requirements. Outside of my role at Dragos -- not affiliated, whatever else, not a paid position, all sorts of legal language -- I sit as the vice chair of Grid resilience for National Security Committee on the Electricity Advisory Committee. So technically, I'm a DOE government employee, kind of in an advisory position. And what's been interesting to me -- not speaking on behalf of the DOE at all here. But what's been interesting to me, and it makes sense, but in all these meetings, they'll be, we need this and we need that and we need to modernize the grid and we want green energy everywhere, we want this and that and weather events and resilience against this and resilience against that. And like if you go and bring in the utilities, they'll all go, yeah, we agree; we've been saying the same thing. But the question is, who is paying for it; and what are your priorities? What are the requirements you want? Okay, we want more green energy. Cool. We're also going to need transmission right of ways then to actually be able to connect all this stuff up. Oh, yeah, no, that's a messy business building new transmission lines and we need 20 or 30 years to do that. But you need to be mostly transferred over to green energy next year. It's like, I just told you I'd be willing to do it, but I need this to make it happen. And I think people misunderstand how often that happens. And I like our policymakers and government officials, and many of them do a phenomenal job, but it's so easy to throw the asset owners and operators under the bus when most the time it's government's just got to set requirements and talk about where it's getting resourced. I think Mark Gabriel came to SANS ICS to give a keynote. He's the CEO of United Power. He was the CEO of WAPA before that -- a huge transmission government-owned company. One of the more experienced kind of electric utility guys and that leadership level. And I like his quote, I just thought it was phenomenal. It was like, look, like electric power is governed by the laws of man, but electrons are governed by the laws of physics. And those two things don't often meet. And I think that's where people are really, really confused of why can't we be more proactive? We want to be. The industry would love to be proactive on these topics. That industry executive at that electric company is going to be there longer than the politician talking about it, promise you. They want to do it. They live and work in the communities they serve. But who's paying for it? Who's allowing it? Because a lot of times, especially industrial projects, it's heavily regulated. And what are your actual requirements and priorities so we can focus on the ones that you actually really want. And I find that that is, yeah, constantly head-banging against a desk kind of conversations.

Dave Bittner: All right. Well, interesting insights. Robert M Lee is CEO at Dragos. Rob, thanks so much for joining us. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]