The CyberWire Daily Podcast 10.17.16
Ep 206 | 10.17.16

Pakistan phishes Indian Army. US election hacks continue as the US investigates and mulls its response. New ransomware strains. More IoT botnet infestations. ISIS struggles to explain loss of Dabiq.


Dave Bittner: [00:00:00:00] Pakistani phishing noticed in Indian Army networks. ISIS loses prophetically important town of Dabiq and must adjust its messaging accordingly. WikiLeaks continues to poke at the Clinton campaign. Fancy Bear is again in the spotlight as the US preps a response to Russian election hacking. IoT malware affects networking gear. Dyre's masters are back and working on a new banking Trojan. And what, exactly, does EvitTwin think he, she, or they might be up to?

Dave Bittner: [00:00:32:06] Time to tell you about one of our sponsors, E8 Security. And let me ask you a question. Do you fear the unknown? Lots of people do, of course. Mummies, the lost city of Atlantis, stuff like that. But we're not talking about those. We're talking about real threats. Unknown unknowns lurking in your network. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacies signature matching and human watch standing.

Dave Bittner: [00:00:57:13] Go to and download their free white paper. Detect, hunt, respond. It describes a fresh approach to the old problem of recognizing and containing a threat no-one has ever seen before. The known unknowns, like the moth man and spontaneous human combustion, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. Check out that white paper. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:36:11] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday October 17th 2016.

Dave Bittner: [00:01:43:12] Physical space and cyberspace intersect again in South and Southwest Asia. After India's late September cross-border strikes against terrorists groups in Kashmir, either state run or of the patriotic hacktivist variety, probably the former, have apparently embarked on a phishing campaign directed against Indian Army targets. The phishing emails spoof an Indian Army intelligence address; the subject line phishbait includes, "Actual story of surgical strike done by Indian Army in PoK".

Dave Bittner: [00:02:15:06] Yesterday rebels of the Free Syrian Army, backed by Turkish armor and close air support, took the small town of Dabiq in Northern Syria from the ISIS forces that had been holding it. The loss of the physically insignificant town will have an outsized strategic impact on ISIS messaging.

Dave Bittner: [00:02:34:01] A Seventh-Century hadioth prophesied that the "last hour" would come after the "Romans", generally regarded as the infidel West, landed at Dabiq. The prophecy says that the a third of the Muslim army would desert, a third would be martyred in battle, and the the remaining third would go on to conquer Constantinople. That is modern day Istanbul, which would be the immediate prelude to the rise of the last enemy and the victorious return of the Mahdi. It's noteworthy that ISIS's slick online magazine is named "Dabiq."

Dave Bittner: [00:03:06:09] The messaging that's emerging adopts the familiar millenarian trope when the necessity of dealing with an apparently unfulfilled but highly specific prophecy arises. The time is not yet, and the struggle continues. The prophecy will be fulfilled nonetheless. Still, ISIS had been betting heavily on winning in Dabiq. Whether trimming the message will carry as much credibility as the group would wish remains in question.

Dave Bittner: [00:03:31:14] WikiLeaks continues to harry the campaign of former Secretary of State Clinton. The campaign says the leaks were achieved by hacking, which the campaign is comparing to Watergate, and demanding that Republican candidate Trump be asked what he knew about the hacking and when he knew it. The comparison is perhaps infelicitous, since it's reminded people as much of analogies to Nixon's tape erasure as it has to the famous what-did-the-president-know question asked in the wake of the 1972 Watergate break-in.

Dave Bittner: [00:04:01:10] The FBI is said to be investigating but the Bureau understandably won't say much about the latest Podesta leaks beyond, yes, we're investigating things, but, of course, we don't like to say much about what we're investigating.

Dave Bittner: [00:04:14:03] Election related hacking also hits the National Republican Senatorial Committee, the NRSC, with donor lists being scraped and exfiltrated to a domain associated with the Russian mob. The data theft occurred between March 16 and October 5 of this year. Among the data exposed were credit card credentials which suggest that the motive was theft.

Dave Bittner: [00:04:35:21] Russian intelligence services are generally suspected as the source of the data stolen from the Democrats. Given the degree to which Russian security services are thought to have compromised Russian organized crime, they may have a paw or two in the NRSC hack.

Dave Bittner: [00:04:50:09] The US, having officially attributed much of the election hacking to Russian continues to prepare some sort of response, but what that response will be remains up in the air. BuzzFeed has a profile of prime animal-of-interest, Fancy Bear, with an interesting rundown on this GRU unit's long history of cyber operations against non-US targets. The outlet quotes an anonymous US defense department official as saying, "Fancy Bear is Russia, or at least a branch of the Russian government, taking the gloves off. It's unlike anything else we've seen, and so we are struggling with writing a new playbook to respond."

Dave Bittner: [00:05:28:20] Fancy Bear is famous for the provocative noisiness of its attacks on the Democratic National Committee earlier this year, much more obvious than the quiet persistence its colleague Cozy Bear used for over a year. The unnamed Defense official told BuzzFeed, "If Fancy Bear were a kid in the playground, it would be the kid stealing all the juice out of your lunch box and then drinking it in front of you, daring you to let him get away with it."

Dave Bittner: [00:05:54:10] Most bets on the US response are placed on sanctions, but there were curious reports over the weekend that the CIA, not generally conceived of as the lead US agency in cyber operations, was said to be preparing for a cyber war with Russia, whether that's defensive prudence or preparation for offensive operations remains to be seen.

Dave Bittner: [00:06:16:00] In cybercrime news, there are more concerns about the internet-of-things. Sierra Wireless warns that its cellular gear has been roped into the Mirai botnet that did so much DDoS damage last month. The affected equipment is AireLink gateway communications gear. Another malware variant with the potential to inflict denial-of-service conditions is "LuaBot," which researchers at Malware Must Die say has been targeting Arris cable modems with increasing sophistication over the last two months. Known since late 2015, LuaBot's renewed activity suggests a rise in the DDoS risk.

Dave Bittner: [00:06:52:02] The IoT contains bigger potential problems than DDoS as bothersome as DDoS is. We're thinking, of course, of the industrial IoT, and we spoke with Robert Lee about reports last week that an unnamed nuclear power plant had sustained a "disruptive" cyber attack.

Robert Lee: [00:07:08:01] There was malware in a facility that caused them to take some responsive actions, but it wasn't on the nuclear side of the facility anyway because that would have caused a case where they would have to take down production environments. So it was on the business systems that they were using at the nuclear environment. It's concerning because we want to make sure that we have the standard practices in place where we aren't introducing random malware. So if a facility can get infected with some well known piece of malware off a USB into the environment, they're most certainly susceptible to a well funded actor trying to infiltrate it. The push back on the height though is this wasn't really a cyber attack where someone was trying to cause a nuclear meltdown. By all accounts, it sounded like it was an accidental malware infection.

Dave Bittner: [00:07:58:02] That's Robert Lee from Dragos Security. The authors of the Dyre trojan, largely quiet since last November, are back and working on a new banking Trojan, "Trickbot". Fidelis reports observing Trickbot in several Australian bank networks. There are signs it may be about to appear in Canada as well.

Dave Bittner: [00:08:18:18] Kaspersky describes a new, tougher to root out ransomware strain. CryPy, which encrypts individual files with their own individual key.

Dave Bittner: [00:08:27:11] And, finally, a curious new strain of ransomware, "Exotic." You can recognize it by the Hitler imagery it uses - it's not actually a threat, yet, according to its discoverers at MalwareHunterTeam. Exotic’s developer, "Evil Twin," seems more interested in cozying up to security researchers than in effective cybercrime. Thanking them for their feedback and sharing screenshots. This is either a vanity project or a new approach to crimeware R&D. Our Marketing Department tells us, we asked, that associating yourself with one of the five worst genocidal monsters of the 20th Century isn't a good look, but who knows? Maybe Evil Twin is using a different focus group.

Dave Bittner: [00:09:14:24] Time for a message from our sponsor, If you're a cyber security professional and you're looking for a career opportunity you need to check out the free Cyber Job Fair on the first day of Cyber Maryland, Thursday October 20th at the Baltimore Hilton, hosted by They're a veteran-known specialist at matching security professionals with rewarding careers. The Cyber Job Fair is open to all cyber security professionals, both cleared and non-cleared. It's open to college students and cyber security programs too. You'll connect face to face with over thirty employers like SWIFT, DISA and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching, all of it's free from career expert and Air Force veteran, Patra Frame. To learn more visit and click job fairs in the main menu. Remember that's and we'll see you in downtown Baltimore. And we thank for sponsoring our show.

Dave Bittner: [00:10:16:01] Joining me is Malek Ben Salem. She's the R&D manager at Accenture Technology Labs. Malek, I know you wanted to tell us about some of the work you're doing with semantic technology for security analytics?

Malek Ben Salem: [00:10:27:01] Correct. An example of semantic technology is ontologies which are typically used to enable knowledge sharing and re-use. In our lab, we try to leverage ontologies to enhance security analytics at the edge. This was a DARPA funded project. It was part of the program called ICAS, the Integrated Cyber Analysis Systems program that DARPA funded. Within this program, we used an ontology. We defined and built a new cyber security ontology which we leveraged to look at logs created by new software installed on devices and automatically infer the schemer of that log based on the security ontology that we've developed.

Malek Ben Salem: [00:11:23:03] Why is this important? Users will keep using software all the time and security analysts will need to understand any logs created by that software and need to use it for understanding when a device is compromised or when software is compromised. However, if they use existing SIEM technologies, they would have to build API's for every new software and every new lock format that's created. With our tool. With this automated way of inferring the scheme of that log automatically, they don't have to do that. All of that information, all of those logs that are created can be automatically consumed, that information can be contextualized. And obviously, with the more context, the better decisions security analysts can make about what the incident is about, what's the root cause and where to look further to understand what's causing it.

Dave Bittner: [00:12:25:11] So what kind of accuracy do you get with this sort of system?

Malek Ben Salem: [00:12:28:21] It varies, depending on how structured the log is. So some of these logs are very structured in their scheme, others are what we can call semi structured types of data. So, the accuracy varies depending on how structured the data is but we were conducting experiments to measure those accuracies.

Dave Bittner: [00:12:52:23] Who, in particular, would this sort of thing benefit?

Malek Ben Salem: [00:12:56:21] It will definitely benefit security analysts. So, eventually this will be deployed as an agent on end point devices - that's why I refer to security analytics at the edge. So the agent running the laptop or the desktop, would be looking for all of these logs as they're created. If it's using new format, then it will try to make this mapping and it will try to organize the information created by those logs into that general schemer and send it back to a central location for analysis. Or perhaps even keep it local and wait for the security analyst to make a query if they suspect that a computer is compromised. So it makes that query to the agent and then they identify what information is relevant to a suspected incident and send that back to the security analyst.

Dave Bittner: [00:13:56:02] Alright, Malek Ben Salem, interesting stuff, thanks for joining us. And that's the CyberWire. National Cyber Security Awareness month is now in its third week. This week's theme is recognizing and combating cyber crime. You can sign up for our daily CyberWire News Brief which comes conveniently to your email box at Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:14:25:19] The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.