The CyberWire Daily Podcast 12.15.23
Ep 1968 | 12.15.23

Remapping privacy.


Dave Bittner: Google boosts Maps privacy, a court shields password disclosure, feds foil a massive scam operation, Iran-Israel cyber tensions escalate, Idaho National Labs reports a significant data breach, a security engineer's cybercrime confession. N2K’s Rick Howard reports from the recent MITRE ATT&CK con, speaking with Blake Strom of Microsoft about 10 years of the MITRE ATT&CK Framework. And Brian Krebs' relentless investigation into the Target breach.

Dave Bittner: Today is December 15th, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google Enhances Privacy for Maps Timeline Location Data.

Dave Bittner: Google is enhancing privacy protections for users' location data in its Maps Timeline feature. Currently, Timeline data is stored on both users' devices and Google’s servers. However, Google plans to shift this, ensuring location history remains only on user-owned hardware. Additionally, the default storage duration for this data will be reduced from 18 months to three months.

Dave Bittner: This move is part of Google’s effort to secure location data against potential legal access, such as geofence warrants used by law enforcement. If users opt for cloud backup, their data will be encrypted, making it inaccessible even to Google. This update aims to protect sensitive information, especially in contexts like visits to medical facilities, which Google pledged to delete swiftly but has been inconsistent in doing so.

Dave Bittner: Users have some existing control over their location histories, like the ability to enable or edit them. The upcoming changes also include a feature for managing activities related to sensitive locations, enhancing users' control over their data.

Dave Bittner: Privacy advocates welcome these changes, though some remain cautious about Google's commitment to privacy. Google asserts its ongoing efforts to provide users with more control over their data, emphasizing their intention to improve privacy measures continuously. These changes, expected to roll out over the next year, represent a significant step in enhancing user privacy in digital spaces.

Dave Bittner: Feds disrupt major pig butchering operation.

Dave Bittner: Federal prosecutors disrupted a major "pig-butchering" scam, arresting two and indicting four Californians for laundering over $80 million from victims. This scam, named after a Chinese phrase, involves building rapport with victims through cold messaging, then tricking them into sending money to fake investment platforms. The scammers show falsified profits, persuading victims to invest in crypto or other assets before disappearing with the funds. The accused used shell companies and various banks, including Bank of America and JPMorgan Chase, to funnel profits to accounts in the U.S., Hong Kong, and the Bahamas, linked to money laundering and the Tether stablecoin. This case represents a significant enforcement action against a scam that costs U.S. citizens hundreds of millions annually.

Dave Bittner: Security engineer pleads guilty to cybercrimes.

Dave Bittner: Shakeeb Ahmed, a 34-year-old senior security engineer, pleaded guilty to high-profile cybercrimes, including a $12 million theft from Nirvana Finance and another decentralized exchange. His admission reveals his use of sophisticated methods, exploiting vulnerabilities in smart contracts of Solana-based exchanges, including a $3.6 million attack on Nirvana Finance using a flash loan. Ahmed employed advanced laundering techniques, involving token-swap transactions, transfers across blockchain networks, conversion into Monero, and use of international exchanges and mixers. He faces serious consequences, including forfeiting $12.3 million and paying $5 million in restitution. Ahmed's conviction, a first involving a smart contract attack, is a significant legal milestone in addressing crimes in decentralized finance. Scheduled for sentencing on March 13, he could face up to five years in prison.

Protecting your password is protected.

Dave Bittner: The Utah Supreme Court unanimously ruled that suspects have a Fifth Amendment right to refuse providing phone passcodes to police, a principle affirmed in the Alfonso Valdez case. Valdez, arrested for kidnapping and assault, didn't give his passcode during the investigation. The State's use of his refusal as trial evidence led to his conviction, which was later overturned on appeal. This ruling underscores the complexity of applying the Fifth Amendment in digital evidence cases, with potential implications for the US Supreme Court. Legal experts note the current lower court confusion regarding digital evidence and the Fifth Amendment, suggesting this case might be reviewed by the US Supreme Court for clarity.

Iran's record against Israeli targets.

Dave Bittner: In the ongoing conflict involving Israel, Iranian cyber groups have intensified their operations. The group known as OilRig, also identified by various names such as APT34, Lyceum, Crambus, and Siamesekitten, has been particularly active. According to ESET's analysis, since 2022, OilRig has launched a series of attacks against Israeli targets using four new downloaders: SampleCheck5000 (versions 1 to 3), ODAgent, OilCheck, and OilBooster. These tools, while somewhat basic and detectable, have proven to be effective. One notable tactic in these attacks is the use of legitimate cloud services for command-and-control purposes. OilRig’s primary focus is on cyberespionage, gathering information rather than engaging in theft or sabotage.

An Israeli company claims to have organized an international cyber militia against Hamas.

Dave Bittner: Israeli law prohibits private companies from attacking international cyber systems, but according to the Jerusalem Post one Israeli company, CyTaka, believes it's found a way to hit back at Israel's enemies in cyberspace without running afoul of the law: engage international partners. The Jerusalem Post writes, "Their efforts target disinformation distribution, psychological warfare, and offensive cyberoperations that fund terrorist organizations." The CyTaka-organized operators are empowered to undertake targeted cyber counterattacks. "By identifying and neutralizing hacker networks," the Jerusalem Post writes, "economic losses from attacks can be mitigated." 

Idaho National Labs discloses data breach affecting 45,000.

Dave Bittner: Closer to home, Idaho National Laboratory (INL) is notifying 45,000 individuals, including current and former employees, retirees, postdocs, graduate fellows, interns, as well as their dependents and spouses, of a data breach involving stolen personal information. The breach, identified on November 20, affected the Oracle Human Capital Management software used for HR applications. Compromised data includes names, birth dates, Social Security numbers, salary details, and banking information, all current as of June 1, 2023. Those affected will receive a letter from Experian and INL offering no-cost identity protection and credit monitoring services. The hacktivist group SiegedSec claimed responsibility for the breach, with INL investigating alongside the DOE, FBI, and CISA. Impacted individuals are advised to be vigilant against identity theft and phishing attempts.

Dave Bittner: Coming up after the break, our own Rick Howard speaks with Blake Strom from Microsoft about 10 years of the MITRE ATT&CK Framework. Stay with us. [ Music ]

Rick Howard: Back in October, the MITRE Corporation hosted the ATT&CKcon 4.0 Conference at their company headquarters in McLean, Virginia, and one of the coolest things they did on the 10th anniversary since they invented the MITRE ATT&CK Framework was to bring back the original researcher analysts who came up with the idea in the first place. On the panel was Jen Miller-Osborn, who just recently stepped down as the Palo Alto Network Deputy Intelligence Director for Unit 42, Brad Crawford, the Vice President of Product at Phylum, Eric Sheesley, the Head Global Security Architect at Sony, and Blake Strom, the Principal Security Researcher Manager at Microsoft. I got to sit down with Blake after the panel and started out by asking him if he thought the MITRE ATT&CK Framework was the de facto standard for how cyber threat intelligence teams convey and represent adversary playbook intelligence.

Blake Strom: So we definitely had antibodies when it comes to standards and people calling it a "standard," so we'll just call it a "framework" in our knowledge base. We're comfortable with that.

Rick Howard: Why has everybody accepted that? You guys didn't think it was going to be that when it started, so how did it become to be that?

Blake Strom: I think it's because it was just the right mix of threat intel, Red-Teaming, and defense, and so I mentioned Todd Wittbold's in the panel. So he was the guy that hired me. He was my department head when I was at MITRE for a long time, but he had this saying about attack, that it was like the rug that brought the room together, sort of like, you know, what's that movie?

Rick Howard: Is it Lebowski?

Blake Strom: Yeah, The Big Lebowski.

Rick Howard: The Big Lebowski, yeah.

Blake Strom: Yeah, so he said it's the rug that pulls the room together, or that ties the room together, and that's definitely what it is.

Rick Howard: Before attack, you know, every vendor had their own way to describe, right? And they could be talking about the same adversary and nobody would know, right? Because we even have colorful names that were different, and we still have that problem, right? But the ATT&CK Framework becomes the Rosetta Stone to fix all that. You can tell me if I'm wrong.

Blake Strom: No, you're definitely right. If you've read some of the reports, like the intel reports back in the day, you could get two different reports from two different intel providers or vendors and they would describe the same even behavior in different ways.

Rick Howard: Different ways.

Blake Strom: There was no way to, like, compare them, unless you really know the deep technical details and how the actor is actually performing the act, and so that's where, like, you know, the rubber hits the road for attack.

Rick Howard: Well, take me back to those days, right? Because the panel was talking about, you know, the origin story. I'm an old comic book nerd myself, right? So I love origin stories. So what was happening before you started working on this that was the spark that said, "Hey, we should do this other thing"? What was happening?

Blake Strom: It was basically back to the Cyber Games report, so what is the readout that the Red Team did.

Rick Howard: Well, explain that. I don't know if everybody knows what that -- the Cyber Games was what?

Blake Strom: Yeah, so the Cyber Games was basically the Red versus Blue session that would happen as part of the FMX project, so --

Rick Howard: For the NSA?

Blake Strom: No, this is for MITRE, so yeah, I'll go back a little bit. So MITRE started this research project, the premise that, you know, the IOCs that people were typically using to detect malware and attackers wasn't enough. You needed to instrument the endpoint systems, instrument the network in a way that you're collecting, like, telemetry over time and then looking for the signal patterns that indicate an attack was happening, and so that's what the FMX project was. Like, that set of sensors, the set of analytics, the analytic data, getting into Splunk, and then turning on it to see if you can --

Rick Howard: So it's a Red Team/Blue Team --

Blake Strom: Yeah, so we exercise --

Rick Howard: Did we not have those before that or --

Blake Strom: We did, but it's usually like the Red Team going in and assessing a network, and the Blue Team going, "Hey, we got you here, but we missed all this stuff, like, don't tell us what we're bad at," where this was much more supposed to be a collaborative exercise because the Red and Blue Team both had the objective, like, improve the system.

Rick Howard: So it's the origin of purple team.

Blake Strom: Yes. Yeah, it was.

Rick Howard: Is it?

Blake Strom: It was very much a purple team.

Rick Howard: How about that? I didn't know that till just now. That's really good. Okay, so --

Blake Strom: We didn't coin the term, but we were -- it was definitely like a purple team exercise, and so trying to figure out, like, what is the commonalities across the threat actors so that we can emulate them successfully in this environment in a way that the Blue Team can show that their work is actually making a difference against specific threats that really was like the origin for attack. That was the foundation.

Rick Howard: So we have this -- what was the game called again?

Blake Strom: Cyber.

Rick Howard: Cyber Game, so, all right, we do the games, we still don't have attack yet, so what changed?

Blake Strom: So we had lots of data on how threats operate within like an enterprise network, and Jen was going through that data and then comparing it, figuring out what the nuggets of details are that are specific techniques, comparing that to what Brad and Eric were doing, and then we realized, okay, so if we start with the ground level, like, what are the individual actions that attackers are going to take within a network? Like, let's start there. Let's start categorizing them. Let's start bidding them into, like, what is the purpose for that technique, the persistence, the lateral movement, is it credential access, and that started to build the framework for the tactics that became like part of attack.

Rick Howard: Did all that just kind of trip off your tongue back then, like, because before, you know, I was doing this, I've been doing this for 30 years, right? No one started talking about sequences of activity until, you know, the Lockheed Martin Kill Chain paper and the Department of Defense's Diamond Model, the MITRE ATT&CK Framework, right? So were you guys thinking in those terms when the games were going on?

Blake Strom: Yeah, we were, but if you look at the Lockheed Martin Cyber Kill Chain, like the actions on objectives is very vague, and that's basically where attacks sort of like fits in squarely to fill in a lot of --

Rick Howard: That is exactly right. I've always thought the Kill Chain paper from Lockheed Martin was more strategic idea with no details about how to do it operationally, but you are absolutely right that MITRE sits right in those actions on the objectives phase that they didn't address. I didn't know that. What about the Diamond Model? Was that part of it, too, or -- because that -- did the Lockheed Martin paper come out in 2010, Diamond Model came out in 2011, but both teams working on it in the same, you know, for five years, I guess, right?

Blake Strom: Yeah, and I knew, like, I worked with some of the founders of the Diamond Model at the NSA when we were there together, and there's been like a lot of controversy that I think is totally unfounded in the industry, like, what would you use, the Diamond Model or the ATT&CK Framework or the Cyber Kill Chain? But they're all necessary components to understand threats, and the Diamond Model is really good because it helps give analysts a framework to attribute a particular threat actor, which is important knowledge for some organizations like governments and sort of multinational companies to understand sort of like who they're doing business with and how that might impact their cybersecurity.

Rick Howard: That was Blake Strom, the Principal Security Research Manager at Microsoft. You can hear more about how the three main papers, the Lockheed Martin Kill Chain paper, the DoD's Diamond Model, and the MITRE ATT&CK Framework, are really the intrusion kill chain defense triad in my book, Cybersecurity First Principles, and you can get your copy at Amazon, and you can hear the full interview I had with Blake in the next season of CSO Perspectives that will come out next year. [ Music ]

Dave Bittner: And finally, in 2013, KrebsOnSecurity reported on a major breach at U.S. retailer Target where over 40 million customer payment cards were compromised. The malware used was linked to a cybercriminal using the handle "Rescator." A decade later, Brian Krebs has unearthed new clues pointing to Rescator's real-life identity. Initially believed to be a Ukrainian hacker, further investigation linked Rescator to Pavel Vrublevsky, a convicted Russian cybercriminal. Rescator's tactics involved selling stolen cards from Target and Home Depot breaches exclusively on his online shops. Rescator's identity was further unraveled through connections to the Russian cybercrime forum BlackSEO and a Russian ISP where key figures in the cybercrime world were identified. One significant clue was an email address used by Rescator linked to a ChronoPay employee who managed pirated music sales. This led to connections with other Russian cybercrime figures and businesses involved in illicit activities, including cryptocurrency exchange Suex sanctioned by the U.S. Treasury. Mikhail "Mike" Shefel, a key figure at ChronoPay, emerged as a potential associate of Rescator. The investigation revealed intricate relationships among Russian cybercriminals, spanning various illegal enterprises. Vrublevsky's continued involvement in fraudulent activities post-imprisonment and Shefel's ventures into cryptocurrency highlight the ongoing challenges in tracking and prosecuting cybercrime. The U.S. Secret Service remains interested in further information, emphasizing the ongoing nature of the investigation into this complex web of digital crime. Unmasking cybercriminals is like peeling an onion with infinite layers, but it looks like Brian Krebs doesn't mind the tears. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out a special edition of this week's Research Saturday. Threat Vector host David Moulton is bringing us an exclusive interview with Unit 42's Michael Sikorski to discuss the Russian APT Fighting Ursa. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. You can email us at We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin. Our mixer is Tre Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. [ Music ]