The CyberWire Daily Podcast 12.23.16
Ep 252 | 12.23.16

Gunnery hacking. Influence operations and a proportionate response thereto? Yahoo breach post mortems. NIST issues Special Publication 800-184: "Guide for Cybersecurity Event Recovery."


Dave Bittner: [00:00:03:10] Fancy Bear goes to war. Russia denies meddling with US elections. US retaliation for influence operations is still under consideration. Some speculate that when it comes, it may be loud. Siemens patches its widely used HVAC controller. Postmortems on the Yahoo! breach continue and draw attention to cybersecurity EFTs. And NIST releases its guide to cyber incident response and recovery.

Dave Bittner: [00:00:33:09] Time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it every day. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top-trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:41:09] I'm Dave Bittner in Baltimore with your CyberWire summary and week-in-review for Friday, December 23rd, 2016.

Dave Bittner: [00:01:49:15] More people look at the compromised Android fire direction app that enabled Russian forces to locate and destroy Ukrainian artillery during hybrid combat in eastern Ukraine. The Ukrainian officer who developed the app and provided it to his comrades has said reporting on the hack contains "rotten information." But he also advises users to delete older versions and download the app only directly from him and not from some dodgy third-party source.

Dave Bittner: [00:02:16:15] Some commentators are saying that the risks CrowdStrike reported are overblown because the phones and tablets with the app installed wouldn't be Internet-connected. Maybe, but video from Ukrainian sources showing the gunners using the tool certainly suggests they're connected wirelessly to something, in some cases guns, in other cases mapping programs like Google Earth, all of which suggest the devices are accessible from the web and capable of reporting back to the Russian army.

Dave Bittner: [00:02:42:22] Apart from some targeting of ISIS operators developed by monitoring their online activity, this incident does seem to offer the clearest instance yet of lethal tactical hacking. Many observers see this as a new overlap of military operational domains as cyber ops intersect with kinetic combat. Others see a natural evolution of electronic warfare into cyberspace.

Dave Bittner: [00:03:05:10] CrowdStrike attributes the gunner hacks to Fancy Bear, Russia's military intelligence agency, the GRU. It says the code in the X-Agent malware is similar to that found in the US Democratic National Committee networks. Russian President Putin has denied again meddling with US elections and expressed hope for better relations even as US investigation into influence operations continue.

Dave Bittner: [00:03:28:12] President Obama has said the US will take proportionate action against Russian cyber operations at a time and place of its own choosing. The list released this week of Russian organizations and individuals that will face US sanctions is probably not that promised action but rather a continuing response to the years' old Russian re-engorgement of Crimea and other Ukrainian territory. Reports suggest that the US was better prepared to defend against a hacking offensive than it was for the information operations that actually materialized.

Dave Bittner: [00:04:00:06] So the US still presumably has some retaliatory cyber operations in the barrel, but what those might be remains to be seen. There's not much hint of them in recent high-minded harrumphing from Director of Central Intelligence Brennan who would decline to sink to the adversary's level, deplores "skullduggery," etc. The Council on Foreign Relations says people at Fort Meade told them that US Cyber Command likes the idea of "loud" cyber weapons so retaliation, if it comes, may be noisily obvious.

Dave Bittner: [00:04:31:24] Moving to industry news, Siemens releases firmware patches for its popular Desigo PX industrial control hardware. This product line is widely used for controlling HVAC systems in commercial buildings. Mozilla has announced plans to upgrade sandboxing in its Firefox browser.

Dave Bittner: [00:04:50:13] With Yahoo!'s future very much up in the air, observers look at the company and see a case study in the tensions that exist among cost control, user experience and security. Financial analysts note that the record-setting breach has drawn attention to cyber security exchange traded funds.

Dave Bittner: [00:05:07:11] And finally a kind of Christmas present from NIST. The Institute has released Special Publication 800-184, its "Guide for Cybersecurity Event Recovery." It's billed as a playbook designed to help organizations respond and recover when they come under cyber attack. Any enterprise would do itself a favor by taking a look.

Dave Bittner: [00:05:31:21] Time for a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:06:32:18] And I'm pleased to be joined once again by Professor Awais Rashid. He heads the Academic Center of Excellence in Cyber Security Research at Lancaster University. Professor, we talked about APTs, advanced persistent threats and you wanted to fill us in today on data exfiltration by APTs.

Awais Rashid: [00:06:50:10] Yes. One of the interesting evolutions of our hyper-connected infrastructure is that within any organization, your systems are increasingly more complex, so there was a time, where as an organization, you pretty much had full control over your network and what was connected to that network. As we open up our infrastructure through Internet and web-based interfaces, we allow employees to bring their own devices, we use cloud, cloud-based systems both in terms of software and infrastructure, it basically means that increasingly your organization's network is a patchwork of systems and that makes security of this infrastructure a very complex task.

Awais Rashid: [00:07:41:18] And advanced persistent threats, the sophisticated attackers can actually exploit this complexity to enter the system and exfiltrate valuable data from the system. We have seen various scenarios of these where attackers have actually stayed within the system for, you know, for several months waiting for an opportunity to do lateral movement. We also see various patterns in terms of how attackers might actually extract data out of these systems. A lot of times attackers would use fairly open channels, like your HTTP, your file transfer protocol, email and webmail, but also we see very sophisticated mechanisms that exploit often, you know, cloud-based services such as, you know, the various storage environments that many, many organizations now allow and use such as, you know, services such as Box or Dropbox and the reason is that if you are using these services as an attacker then the traffic actually blends in with normal traffic and it doesn't get picked up by, by security systems and anomaly detection systems.

Awais Rashid: [00:08:58:19] Similarly you can have many other advanced exfiltration channels that attackers might use, so, for example, a lot of organizations now use voice over IP techniques and you can actually use stenography where you can hide information in those voice over IP packets to try and extract information out of these systems.

Awais Rashid: [00:09:21:01] In general, I think the key problem has to be that whenever we look at the data across an organization, we need to think and ask the question, "Where are our data assets?" Because many a times we think of our data assets as things that are in storage, they sit somewhere on disc and we think that, for example, encrypting discs, which actually is a very good activity and we must do, protects that data, but, there is also data in use that is brought regularly into a computer's memory and hence decrypted and is utilized in day to day processing and then there is data in motion that transits across the network or from our network into other services, for example cloud-based services which actually creates potential vulnerability points which an attacker can exploit.

Awais Rashid: [00:10:09:00] So given that our systems are now so complex and attackers are getting increasingly sophisticated, we need to think about where are our data assets and how we may protect them.

Dave Bittner: [00:10:19:24] Awais Rashid, thanks for joining us.

Dave Bittner: [00:10:30:16] My guest today is Keith Mularski. He's a supervisory special agent with the FBI working out of the Pittsburgh office where he oversees all cyber investigations for that region. Special Agent Mularski and his team were instrumental in coordinating international efforts to take down the Avalanche botnet, which was a criminal syndicate involved in phishing attempts, bank fraud and ransomware.

Keith Mularski: [00:10:53:02] Up here in Pittsburgh we've been working many different botnet cases. A couple of years ago we did a take-down of the GameOver Zeus botnet that used a peer to peer infrastructure,and then last year we did a take-down of the Dridex botnet. So in the wake of those two take-downs we kind of started looking at the Avalanche infrastructure which was a way for criminals to anonymize their botnets. So instead of just one botnet going over the Avalanche infrastructure, there were a dozen or so at any given time. And what Avalanche did was, it had many different layers of obfuscation and proxy networks that kind of almost acted like a peer to peer, but it was actually what they call fast flux network, that would enable it to be very difficult for law enforcement to find out where the back end is, to be able to shut it down. And then we had some victims here in western Pennsylvania from a couple of these botnets that were hosted over Avalanche and that's kind of how we got involved.

Dave Bittner: [00:11:54:11] And these were not insignificant attempts to transferring money?

Keith Mularski: [00:11:58:21] No, absolutely not. They really go after small to mid-sized businesses that have a few hundred thousand to millions of dollars in their account and that's what the criminals were mostly targeting from the banking Trojan side.

Dave Bittner: [00:12:10:19] And so, the network comes to your attention. Take us through the process of how you go about, you know, working with other agencies around the world to bring it down?

Keith Mularski: [00:12:19:06] We worked very closely with our German counterparts at the German State Police, and, over there, and they had been looking at this infrastructure for a couple of years, and they had reached out to us based off of some of the success we had in the previous take-downs. So we started working with them. We started looking at the types of botnets that were being hosted there and then we were able to get victims here in Pennsylvania. And then from starting to do those investigations, we just started pulling the strings and looking at where the infrastructure was hosted around the world, identifying subjects in different countries. We really leveraged what we call our legal attachés which are FBI representatives that are stationed in all the countries overseas. They're at the embassies. And their job is to get liaison with our foreign partners over there and really make it a lot easier to move these cases along a lot quicker.

Keith Mularski: [00:13:18:00] So we worked very closely with them to pass intelligence on a real time basis on where infrastructure was moving, you know, who the subjects are and we were able to make the investigative process go a lot faster.

Dave Bittner: [00:13:31:20] And, and so take us, you know, through the point where you feel as though you've identified some of the people who are actually running this botnet and then it's time to pull the trigger and bring them in.

Keith Mularski: [00:13:42:15] Yeah, so what we wanted to do was a two-fold approach. One is we wanted to get the people responsible for it and some of the people that were running the botnets, but, at the same time, we also wanted to hit the infrastructure and take that down. So we had to take a two-pronged approach. One is we wanted to work with our foreign law enforcement partners to get them the intelligence for them to do surveillance, or whatever they needed to do to confirm the identities, and get them the evidence so we could plan searches. And the second thing that we needed to do was work with private industry in order to sinkhole the domains that the malware was using and also to seize the servers and infrastructure.

Keith Mularski: [00:14:28:15] So what we, you know, had to do was get a criminal, what we call a criminal temporary restraining order, in order to give us the authorities to be able to seize the domains, which, the last count, I think, was somewhere around 870,000 domains that the malware would talk to, that we would have to seize. There were over 40 different Internet registries that participated in this including there was a registry on Christmas Island and so he was in control of, like, a couple of the domains but we had to go to him because we had to sinkhole them and, you know, he ran the local marina and also the Internet registry so we had to really go, you know, at the far ends of the earth in order to make sure that everything was going to work very well.

Keith Mularski: [00:15:13:02] We had a meeting at the EC3 which is the European Cyber Crime Center, at Europol, and we brought together all the different countries in the Internet registries to kind of say, "Okay, we're going to do this take-down on, on this day and this is kind of what we needed to do and get everything in place." So on take-down day we went and did our law enforcement action, doing searches and arrests, and then we seized servers, and then we started sinkholing the domains to be able to take all the infected computers away from the bad guys. So that's kind of it in a nutshell.

Dave Bittner: [00:15:51:14] Give us a sense for the scale of the operation. How many people were brought in and what are we talking about with the servers?

Keith Mularski: [00:15:59:10] Really, the scope of it was unprecedented. We had over 40 different countries participate in this. We had law enforcement action in, I think about a half a dozen of them where we had some seizures and we had some arrests in, in Ukraine and in Bulgaria and in Germany. So I can't get into a lot of the law enforcement details yet because it's still ongoing. You know, the scope was really just huge, you know, with 40 different countries. If you could just imagine trying to get four people, you know, in a conference room to try to do things coordinated, let alone to have 40 countries from, you know, not being in a conference room to do something coordinated, it was very difficult. But it all worked out and it all turned out very well.

Dave Bittner: [00:16:44:16] And what are the ripples of this around the world? Do the other bad guys around the world take notice?

Keith Mularski: [00:16:51:17] Well, we hope so, because we're trying to target and one of the strategies that the FBI does in working with our law enforcement partners is that we want to go after shared criminal services. And what shared criminal services are, it could be, like, bullet-proof hosting providers, it could be people that are, you know, writing malicious code that's used across, you know, the whole criminal platform. So, in this case we went after and took out one of the shared criminal services that was used by over 12 different organizations that were running their own separate botnets. So, we think that has a major impact, because we're not just disrupting one organization, we're disrupting, you know, 12 and by taking Avalanche off, it will make it much more difficult for people to host, you know, these malicious code and botnets. We're trying to make the world a smaller place because cyber crime has no borders, and it's this type of coordination and these type of successes that we can build on, you know, for future operations.

Dave Bittner: [00:17:57:03] That's Keith Mularski. He's a supervisory special agent with the FBI.

Dave Bittner: [00:18:23:01] And that's the CyberWire. Thanks to all of our sponsors for making our show possible. We're going to take a break next week to relax and spend some time with our families, so we'll be running best-of shows featuring some of our favorite interviews from the year. We'll still be publishing our daily news brief on our website,, and while you're there you can sign up to have the daily news brief delivered to your email.

Dave Bittner: [00:18:43:17] I want to take a little extra time today to thank everyone who makes the CyberWire possible. We've got an amazing group of dedicated professionals here working behind the scenes to bring you our show every day. John Petrik is our editor, and whenever I sound smart or funny, chances are that's something that John wrote. Jennifer Eiben manages our social media and a whole lot more, including our annual Women in Cyber Security event here in Baltimore, and she makes it all look easy. Chris Russell is our technical editor, building the tools we need to keep up with the fast-paced schedule of a daily publication, keeping our website up and running and providing creative solutions to our technical challenges. Peter Kilpe is our executive editor, and as much as we like to tease him for being the suit down the hall, it's his combination of business sense and editorial excellence that empowers the rest of us to bring you the CyberWire every day. Thanks to all of our academic, research and industry partners for providing their time and talent to the show. I always learn a lot from them and I hope the rest of you do too. Our show wouldn't be the same without them. Thanks to Jason and Brian at the Grumpy Old Geeks podcast for inviting me over to talk cybersecurity from time to time. We always have fun. And, of course, last but not least, thanks to all of you for listening. It's gratifying to all of us here to know that we're a valuable part of your day and that you choose to listen and help spread the word about our show. We've got a lot of exciting things planned for 2017. We hope you'll join us.