The CyberWire Daily Podcast 12.14.16
Ep 245 | 12.14.16

Nation-state hacking (and nation-state victims of hacking). Loyalty program breaches, and a new Android Trojan strain.


Dave Bittner: [00:00:03:20] Ukraine says its Defense Ministry was hacked. US investigations of apparent Russian influence operations during elections continue. Venezuela talks up cyber threats as contributing to its financial crisis. Dr. Web reports a new Loki Trojan variant in the wild. BugSec and Cynet disclose Facebook Messenger flaws, now patched. Colonel's Club breached and hacktivists go after Russian consular data.

Dave Bittner: [00:00:34:12] Time for a message from our sponsor, Netsparker. When you want automated security, you want it to be, well, automatic. Netsparker delivers truly automated web application security scanners. It can be surprisingly labor intensive to scan websites, and other solutions need a lot of human intervention.

Dave Bittner: [00:00:50:18] To take one example, with other scanners you have to configure URL rewrite rules to properly scan a website; not with Netsparker. They say, "it's the only scanner that can identify the set-up and configure its own URL rewrite rules." Visit, to see how Netsparker's no false positive scanner frees your security team to do what only humans can do.

Dave Bittner: [00:01:11:18] Don't just take their word for it. If you'd like a free trial, go to for a 30 day fully functional version of Netsparker Desktop. That's Scan your websites with no strings attached. We thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:38:07] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday December 14th, 2016.

Dave Bittner: [00:01:44:15] Ukraine's Defense Ministry stated yesterday that its website was downed by disruptive cyber attacks that seemed designed to prevent the ministry from providing updates on the Russian hybrid war being waged in Eastern Ukraine. The obvious suspect in the case would be Russian intelligence services.

Dave Bittner: [00:02:02:00] Investigation of election hacking proceeds in the US, with concentration on influence operations widely believed to have been conducted by Russia. Illinois Republicans say the FBI warned them in June that four seldom-used accounts may have been compromised as far back as 2015 – roughly the period when Cozy Bear established persistence in DNC networks. Some emails, none particularly discreditable, eventually turned up in DCLeaks, generally thought to be a Russian sock-puppet.

Dave Bittner: [00:02:33:12] The CIA has famously concluded that Russian services did in fact seek to influence the election and some private security companies, notably CrowdStrike, share that view with even higher confidence than the CIA. The details remain murky, especially the connections between the Russian services and WikiLeaks. Director of National Intelligence Clapper, has told Congress that evidence of coordination between the Russian Government and WikiLeaks is still inconclusive.

Dave Bittner: [00:02:59:22] There does, however appear to be a strong circumstantial case for WikiLeaks having served as a conduit of information from Russia to the public. WikiLeaks has denied that Russian intelligence provided it with the DNS emails it releases.

Dave Bittner: [00:03:14:23] Venezuela, in the throws of its continuing economic and financial crisis, pulled in a prominent bank president for questioning over the weekend, in connection with allegations that he was complicit in December 2nd cyber incidents involving online banking systems.

Dave Bittner: [00:03:29:13] Venezuelan officials also suggest that their withdrawal of their highest denomination currency, the 100 Bolivar note, is connected with unspecified concerns about cyber security, as opposed to the widely believed prospect of hyperinflation. The executive in question was Victor Vargas, President of the Banco de Occidental Descuento.

Dave Bittner: [00:03:51:08] Dr. Web, original discoverer of the Loki Trojan, warns that a new version can infect native Android OS libraries. Dr. Web also reports that some Trojan downloaders are appearing preloaded in the firmware of discount Android phones.

Dave Bittner: [00:04:06:20] BugSec and Cynet say they've discovered a vulnerability in Facebook Messenger – they're calling it Originull – that could give attackers access to chats and photos. Facebook has fixed the flaw, but it could also affect websites using origin registration checks.

Dave Bittner: [00:04:23:00] As the holidays approach, many of us are expecting to either give or receive gift cards. It's an increasingly popular gift, giving the recipient the ability to buy something they really want and providing the giver with the comfort of knowing they spent slightly more time on choosing a gift than simply stuffing an envelope full of cash. But gift cards come with their own security issues; as we learned from Omri Iluz from Perimeter X.

Omri Iluz: [00:04:45:18] You need to be very careful. Last holiday season, gift card fraud was one of the most lucrative attacks, and we've seen a significant increase. We expect it to be, again, one of the top attacks this holiday season. The way that attackers abuse gift cards is by simply guessing the numbers.

Omri Iluz: [00:05:05:22] A gift card is simply a list of numbers and if a website provides a way to check the balance and the attacker has access to enough bots, he can simply try hundreds of millions of combinations and he will be very successful, at some point, in finding gift cards with a balance.

Omri Iluz: [00:05:28:03] If you look at the gift card, while it seems like a long list of numbers, there is a structure in it. There's usually a prefix per website. There's usually check digits at the end, so the actual number is much shorter. It's still very hard to find one, if you just go and type them manually. But imagine you had 10,000 bots that can now go and type, as fast as they want, a gift card into the page that checks the balance.

Dave Bittner: [00:06:01:05] They will run for weeks until they find gift cards with a balance. Even if the success rate is very, very low, because they have so many bots and these bots can try as fast and as wide as they want, they just harvest. You can look at this as mining or, as they call it, harvesting gift cards.

Dave Bittner: [00:06:22:07] From my point of view, if I receive a gift card, as far as I know, I've never run across a gift card that allows for something like two-factor authentication. Is it a matter that I should really be vigilant in and use that gift card as quickly as possible, to minimize the probability of someone harvesting it?

Omri Iluz: [00:06:39:07] I think the most important part is knowing what your balance is on the gift card. If you're like me and you get ten or more gift cards during the holiday period, you don't write down the balance; so if someone harvests your gift card numbers, you just go in and you know this is supposed to be $100 gift card, but it has no value on it, you're just going to throw it away.

Omri Iluz: [00:07:02:07] Just have a list.Someone gave you a gift card, put it in a spreadsheet somewhere, when you got it, what's the balance. If you complain, most websites would give you back the money; but you need to know how to complain. I wouldn't say go and use it as fast as possible; we still want to have the opportunity to buy what we want, when we want it. I don't want to let the attackers dictate our lives. You just needs to be a little bit more organized and get the money back when someone harvests your gift card.

Dave Bittner: [00:07:34:09] That's Omri Iluz from Perimeter X.

Dave Bittner: [00:07:38:17] Netgear has pushed out firmware updates for vulnerable router models. Microsoft patches Skype, IE, Edge and Windows and Adobe has issued another patch for a Flash zero-day.

Dave Bittner: [00:07:50:20] KFC, the chain formerly known as Kentucky Fried Chicken, warned that its loyalty program has been breached. About 1.2 million British members of the Colonel's Club have been advised to reset their passwords after 30 customers' personal information appeared to have been compromised. It's a fairly quick disclosure.

Dave Bittner: [00:08:09:01] Michael Patterson, CEO of Plixer, told the CyberWire, "The fact that KFC came forward about the breach is honorable. Clearly they have systems in place that allowed them to research which accounts were targeted. KFC needs to keep in mind that the targeted 30 accounts could have been a diversion method to distract from the real attack." He also noted that the company, Yum Brands, was commendably cautious in not holding credit card information in its loyalty program databases.

Dave Bittner: [00:08:36:09] Finally, Russian officialdom hasn't escaped the unwelcome visitation of the hacktivist community. Someone from the New World Hacktivists – going by the brassica-themed handle Kapustiky has stolen some 30,000 passport records from the Russian consulate in the Netherlands' website. Mr. Kapustiky says, his motive is to raise awareness about the dangers of a data breach and that he'll only leak a few of them at a time, until people get the message. Somehow one doubts the FSB will take him at his word.

Dave Bittner: [00:09:07:06] Mr. Kapustiky, in November, counted coup against Indian diplomatic missions in Italy, Libya, Malawi, Mali, South Africa, and Switzerland. No plausible motive beyond the implausible public education motive is evident. Perhaps it's all just for the lulz. Our linguistic staff, by the way, tells us that kapusta means cabbage, and they assure us their grandmothers saw to it that they ate plenty of it. If you're in the Netherlands, may we suggest the snert instead? Or in the UK, some KFC?

Dave Bittner: [00:09:44:03] Time to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web; developing cyber intelligence that gives analysts unmatched insights into emerging threats.

Dave Bittner: [00:09:58:10] At the CyberWire, we subscribe to and profit from Recorded Future's cyber daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely; because that's what you want: actionable intelligence.

Dave Bittner: [00:10:19:06] Sign up for the cyber daily email and, every day, you'll receive the top trending indicators Recorded Future captures crossing the web: cyber news; targeted industries; threat actors; exploited vulnerabilities; malware; and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to and subscribe for free threat intelligence updates. That's We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:52:21] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, when we see news come by about hacking coming from nation-states, I think, sometimes, the definition of what that is, is a little bit fuzzy for some people. I know, from your point of view at Level 3, you all have a unique perspective on nation-state hackers. What's your perspective? What can you share with us about them?

Dale Drew: [00:11:18:20] Well, you know, we recently published a blog on the anatomy of a nation-state hacker and it's really because of some of the observations we were seeing in a lot of these nation-states, that were just contrary to our common belief about the ideal of how a nation-state operator would work.

Dale Drew: [00:11:39:14] It's sort of two-fold. On the one hand, you know, we really saw it as it looks like and operates, like a fairly mundane job. We're able to detect when a nation-state employee clocks in for the day. We're able to see when they go to lunch, you know, and they go to lunch for an hour or so. Then we see them when they come back, and then when they go home. It's a very regimented sort of process.

Dale Drew: [00:12:04:20] In some nation-states, we saw a fairly complex ecosystem of different connected organizations that were responsible for different pieces. One piece responsible for identifying the companies that were engaged in certain intellectual property: searching for patents, searching for news stories, you know, Internet forum posts and things like that, and building the database of assets of potential targets.

Dale Drew: [00:12:35:06] We saw other organizations that were responsible for social research: what employees worked on, what projects, what keywords did they use, what technology did they have?

Dale Drew: [00:12:43:23] Then those organizations responsible for downloading, purchasing and getting access to the source code of a pretty wide variety of product portfolio; so that, if they found out that a particular target was using that, they would potentially have access to undiscovered security exposures in the form of zero-days or half-days, to be able to weaponize that and gain access to that target company for extended periods of time.

Dale Drew: [00:13:09:01] We also saw a vast majority of it was really dependent upon getting access to the employee. I mean, most of these attacks we saw were based on phishing attacks, targeting very specific employees.

Dale Drew: [00:13:21:03] The last one that I'd say is that, one of the observations we saw was, a lot of nation-state employees, more and more, are renting out their services to organized crime. Not only so those nation-state actors can get a little cash on the side; because they are being paid like government employees, but also because the nation-states want to be able to obfuscate the complexity of those attacks with another source.

Dale Drew: [00:13:46:11] You know, when we see an attack, the fingerprint is pretty easy to determine. You know, we're like, oh that's Fred from nation-state X; we know that fingerprint and we know that style. But it's not a nation-state in this case, it really looks like an organized crime attack. Being able to attribute attacks is becoming much more difficult these days because, those resources are sharing, not only to other nation-states, but to organized crime.

Dave Bittner: [00:14:09:24] Interesting stuff. Dale Drew, thanks for joining us.

Dave Bittner: [00:14:15:02] That's the CyberWire. You may have noticed that some of us around here are Star Wars fans and, of course, we're really excited about the new Rogue One movie coming out. In fact, we've made a video of our own, outlining how we think the Death Star plans may have been stolen. You can watch the video on our website,

Dave Bittner: [00:14:29:11] Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.