The CyberWire Daily Podcast 12.22.16
Ep 251 | 12.22.16

ISIS offers Christmas inspiration (and it's got nothing to do with peace or good will). Fancy Bear makes a battlefield appearance. Blogging services under attack.


Dave Bittner: [00:00:03:15] ISIS offers a murderous take on Christmas in its online communications. Ukraine is on the receiving end of Russian tactical cyber operations and, yes, it's Fancy Bear. Analysts mull the possibility of a Russo-American détente emerging from cyber conflict. Investigation of Ukrainian power outage continues without definitive result. Mirai continues to rope maverick devices into its bot-herd. And WordPress and Tumblr receive criminal attention.

Dave Bittner: [00:00:35:18] It's time to take a moment to tell you about today's sponsor Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cyber security analysts unmatched insights into emerging threats. We read their Dailies at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top-trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:38:00] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, December 22nd, 2016.

Dave Bittner: [00:01:45:02] Vocativ reports online threats in ISIS media seeking to inspire the terrorist group's adherents, sympathizers and wannabes to attack Christian churches during the Christmas season. Such attacks are seen by many but especially by German authorities dealing with recent murders in Berlin as the attempt by ISIS to further alienate Muslims living in non-Muslim lands from their neighbors, and so to drive them into ever closer ties to the increasingly virtual Caliphate.

Dave Bittner: [00:02:12:16] An interesting series of reports from the cyber threat intelligence firm CrowdStrike offer insight into both Russian deniable hybrid warfare and Russian influence operations.

Dave Bittner: [00:02:23:00] Fighting in eastern Ukraine has seen an odd battlefield result. Ukrainian forces are losing their D-30 howitzer batteries to artillery counterfire at a surprisingly high rate. In two years of fighting Ukrainian forces are said to have lost about half their artillery pieces. They've lost 80% of their D-30s and CrowdStrike suggests an explanation. The D-30 units have been hacked. An Android app, Popr-D30, which a Ukrainian artillery officer developed and distributed to improve the guns' responsiveness to calls for fire, has been Trojanized with a version of Fancy Bear's X-Agent. The malicious implant reports gun positions back to Russian fire units, which then target and destroy the Ukrainian artillery. It's unclear from CrowdStrike's report whether the Popr-D30 app is a survey or a fire direction tool. They simply say it reduces the time it takes a unit to fire from minutes to seconds. But in either case it would reveal gun positions. If this study is credible, as it appears to be, this would be a clear instance of cyber operations in support of combat at the tactical level.

Dave Bittner: [00:03:30:16] The connection with US election hacking, as noted by the Washington Post and others is this: Fancy Bear used earlier versions of X-Agent implants against the DNC. X-Agent is one of Fancy's signature tools.

Dave Bittner: [00:03:45:03] Some observers claim to discern a silver lining in the clouded Russo-American cyber relations. Intolerable tensions, they tell Passcode, could lead to détente. Well, maybe. Observers are looking at the long, slow road nuclear arms control and confidence building took during the Cold War and drawing hope from that. It's unclear, however, whether cyber conflict is more like nuclear war with high barriers to entry and clear verification means, or more like espionage, which has none of those things. In any case the US continues to pursue a full investigation of Russian influence operations seen during the last election cycle, and we'll be watching for signs of more vigorous retaliation. There's talk in operator circles, reported by the Council on Foreign Relations, among others, of the value of noisy operations.

Dave Bittner: [00:04:35:07] The SANS Institute's Internet Storm Center warns that Mirai IoT botnet malware is ranging into fresh areas as it seeks the ruin of home routers, thermostats, security cameras and other connected devices.

Dave Bittner: [00:04:49:18] The ongoing shortage of qualified IT talent has led some firms to get creative when casting a net for new hires. Adnan Amjad is a partner with Deloitte Cyber Threat Risk Management Practice.

Adnan Amjad: [00:05:02:12] One of the areas of concern is we don't have enough talent coming out of schools in the last several years to address that demand, then there also haven't been robust programs to convert existing talent into, you know, into talent that can help manage cyber risk. We see, especially in the commercial sector, there has been a huge push to see, you know, how we can recruit people who have the risk background, and when I say risk, I mean, clearly broadly, right? So, for example, if you are a business risk person, right, and you understand the risk in a business process, we can take you and teach you the technology aspect of it, right? So, if you understand, for example, how a pharmaceutical company does clinical research and manages the risk around that research, we can take you and we can teach you the technology that you can deploy, right, because you have that core knowledge of, of risk as well.

Adnan Amjad: [00:06:04:07] So we see that happening in large organizations across all sectors, and we see that happening in the professional services' side of the house as well which is where I sit, and relatively successful, you know, most of the time because it's, like I said, it's easier to teach somebody the technology. I think it's harder to take a technologist and, you know, in some cases and have them understand the business aspect of it.

Adnan Amjad: [00:06:32:01] The other area is bringing people who don't necessarily know computer network security or even have a risk background, but have a data background or have a statistics background, and that's primarily something we see a lot in what we call the monitoring aspect of cyber security and then the resilient side of cyber security. So, what monitoring means, for example, in security operations area, for example, you bring a lot of data together. If you're a large enterprise, you bring lots of data together and you need smart data scientists to be able to correlate the data and pull it together. Right? So there's that expertise which traditionally didn't sit in cyber is in huge, huge demand.

Adnan Amjad: [00:07:17:17] And when you get into responding to a breach, you need those data skills as well which, you know, traditionally cyber security, you know, groups have not necessarily built. So, not only you need the business background, right, from a process risk perspective but the other area that we see a lot of, you know, attention to are people who have a data background and who typically haven't resided within IT.

Dave Bittner: [00:07:44:12] That's Adnan Amjad. He's from Deloitte Cyber Threat Risk Management Practice.

Dave Bittner: [00:07:50:20] Two popular blogging services, WordPress and Tumblr, came under attack this week. A wave of dictionary attacks on WordPress sites earlier attributed to unknown criminals operating from a Ukrainian ISP, has been further localized. The attackers appear to be working from Alchevsk, a city in the Donetsk Oblast which is heavily disputed in the ongoing hybrid war. Bleeping Computer notes that the Ukrainian government's writ doesn't really run in that region and that it seems likely the ISP is a bulletproof host catering to criminals.

Dave Bittner: [00:08:23:15] Tumblr sustained a distributed denial-of-service attack that disrupted it in Europe and the US for a couple of hours. We heard from security company Plixer's CEO Michael Patterson who again reminded us that DDoS can have at least two goals, downing a website and distracting security teams from another primary attack. The attack on Tumblr was claimed by a criminal group, R.I.U. Star Patrol. They say they did it for the lulz.

Dave Bittner: [00:08:54:04] Time to tell you a little bit more about today's sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. Here at the CyberWire we subscribe to and benefit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely. Because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:57:22] Joining me once again is Doctor Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, it's my understanding that when it comes to security on our mobile devices that it is the cellular tower that negotiates the amount of encryption between your mobile device and the tower, if there's any at all, and so this can sort of lead to situations where, if someone's spoofing a tower, they can direct your mobile device to say, "Hey, we don't need any encryption here, let's just send things in the clear." I was wondering if you could first of all tell us is that the case? And kind of give us some of the historical background for why this option was included.

Dr. Charles Clancy: [00:10:36:18] It is the case actually. A cell tower is able to select from a variety of different encryption options when it negotiates a new session with a cellular device. This started back in the 2G era. Of course when you move all the way back into 1G, the analog original phone networks, there was no encryption and this caused principally a lot of theft of service. I've heard rumors and statistics that 60% of the phone traffic in Los Angeles in the early 1990s was all spoofed and stolen accounts where people were using someone else's phone number because there was no encryption.

Dr. Charles Clancy: [00:11:17:21] So as we moved into 2G there was the desire to add encryption to the cellular infrastructure, principally to avoid fraud. But in the mid 1990s when the 2G cellular standards were being created, the US still had very strong export laws around encryption. If you were surfing the net back in the mid 1990s and you went to go download the Netscape browser, you may recall being asked whether or not you were within the United States, and depending on your answer, you'd get a different version of Netscape that had stronger encryption than if you checked the box saying that you were outside the United States.

Dr. Charles Clancy: [00:11:52:19] So, these sorts of export controls on encryption led to the development of a range of security options in 2G cellular, where it could support unencrypted links, weak encrypted links and strong encrypted links. By the time we get to 3G however, the encryption laws had been reformed and there were no prohibitions on export of strong encryption. However, we also by then started to see the rise of China within the technology ecosystem, and they had an agenda of pushing for weaker or no encryption options within the standards. And so the reasons why there were no encryption, those options for not having any encryption vary depending on the generation of technology and the political situation, but the consequence is that pretty much every generation of cellphone technology includes options where you can disable encryption.

Dave Bittner: [00:12:46:18] What about the coming generations of cellular technology? Is this all, you know, a security hole that's going to be patched?

Dr. Charles Clancy: [00:12:53:14] When you get into 4G, I mean, the options are still there but most of the implementations, particularly on the handset side, are not likely to support some of those modes. So while it would be much more difficult to spoof a 4G tower, your phone needs to support 2G and 3G, so if I'm an adversary who wants to spoof a tower, rather than try and spoof a 4G tower, which may be difficult or impossible depending on the encryption on the device, all I have to do is spoof a 2G tower because all the phones need to be backwards compatible to support 2G.

Dr. Charles Clancy: [00:13:33:04] So that's what we see in the whole world of the IMSI-catchers which were brought to the attention of the media about two years ago because of their use by law enforcement.

Dave Bittner: [00:13:43:01] The StingRays and things like that.

Dr. Charles Clancy: [00:13:45:08] Exactly, the StingRay is, is kind of the Kleenex of, of the ecosystem if you will.

Dave Bittner: [00:13:51:11] Right.

Dr. Charles Clancy: [00:13:51:17] It is just one of many different products on the market that supports the-- basically a false base station that's able to convince phones to connect to it for the purpose of identifying each of the phones.

Dave Bittner: [00:14:06:02] Alright, Dr. Clancy, thanks for explaining it to us. Interesting stuff.

Dave Bittner: [00:14:12:10] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.