The CyberWire Daily Podcast 1.6.17
Ep 260 | 1.6.17

Spearphishing in industrial espionage. Ransomware gets more widespread, ruthless, and perfidious. The US Intelligence Community assures the Senate that the Russians hacked the DNC.


Dave Bittner: [00:00:03:19] Reports say a worldwide spearphishing attack against industries in 50 countries is in progress. Ransomware is already proving as much of a problem as predicted - exposed databases are hijacked in a turf-war among extortion gangs - and KillDisk has now appeared in ransomware kits. The US Intelligence Community tells the Senate that, yes indeed, the Russians were hacking during the election. A full report is promised for next week.

Dave Bittner: [00:00:34:04] Time for a message from our sponsor Netsparker. Do you know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out false positives, save you money and improve security. Their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it defines in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad.

Dave Bittner: [00:01:06:22] Remember, if it's exploitable, then it's definitely not a false positive. Learn more at but wait, there's more. And we really do mean more. Go to for a free 30 day trial of Netsparker desktop. It's fully functional, scan your websites with Netsparker and let them show you how they do it. That's, and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:40:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Friday, January 6th, 2017.

Dave Bittner: [00:01:53:07] Kaspersky Lab reports "a globally coordinated cyber attack" against some 500 companies in 50 countries. The campaign began in August 2016, made extensive use of spearphishing, and appears to have as its object industrial espionage. The targeted sectors are construction, engineering, electrical power distribution, and basic metals or, in this last case, "smelting," as the report calls it. There's no attribution, at least not yet.

Dave Bittner: [00:02:21:22] Any number of thoughtful predictions for 2017, from Recorded Future and Surfwatch Labs, for example, have warned that ransomware, distributed denial-of-service attacks, and destructive attacks may be expected to worsen.

Dave Bittner: [00:02:34:13] Bleeping Computer warns that more MongoDB attacks are on the way. Database administrators should look to their configurations. A group called "Harak1r1" has been hijacking databases exposed on the Internet without the elementary precaution of a password protecting their admin accounts. The attackers encrypt the database and demand that two-tenths of a Bitcoin (about $200) be deposited in the criminals' Bitcoin wallet. More than 8500 victims have been hit since Bleeping Computer's first warning this Monday.

Dave Bittner: [00:03:06:10] Two copycats have joined in, according to researcher Victor Gevers who, according to BBC reports is working for the Netherlands government. An actor calling itself "Own3d " is thought to have hijacked more than 900 databases. This crew is asking for half a Bitcoin (around $500), and another group calling themselves "0704341626asdf" is believed to have attacked more than 700 MongoDB servers. This last gang asks only for 0.15 Bitcoin, or roughly $150, but they impose a 72-hour deadline and subject their victims to a sanctimonious lecture about digital hygiene.

Dave Bittner: [00:03:46:24] It seems that there's now a bit of cyber gangland turf war running over who gets to pwn MongoDB servers. It's in the interest of all civilized people that all sides in the squabble should lose, so admins, please do look to your configurations.

Dave Bittner: [00:04:02:04] So, ransomware seems to be growing riskier. The MongoDB hijackings ask for relatively low ransoms, but that's not the case with other extortion schemes being observed. KillDisk, the destructive malware BlackEnergy packaged in the December 2015 attacks on the power grid in western Ukraine, has been developed into a ransomware package. According to researchers at the security firm ESET, this variant infects both Linux and Windows systems, not only encrypting files but rendering infected machines unbootable.

Dave Bittner: [00:04:33:00] The hoods behind the extortion are demanding 222 Bitcoin (between $210,000 and $250,000, depending on current rates) which, by ransomware standards, is very high. It gets worse. The crooks are sloppy, and apparently not only won't, but can't let their victims recover files even after the ransom is paid. As the ESET post on their We Live Security blog puts it, "The encryption keys generated on the affected host are neither saved locally nor sent to a C&C server. Let us emphasize that the cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware." So by no means pay up if you become a victim. You'll be out a quarter of a million or so, and you won't get your files back, either.

Dave Bittner: [00:05:27:17] Please note that a Google search for KillDisk might lead you to believe that it's nothing more than a capable disk wiping tool. Buyer beware, don't follow the links, and stay away from KillDisk.

Dave Bittner: [00:05:38:22] In the UK there's an ongoing multistage ransomware campaign targeting schools. The first stage is a cold call to a school, in which the caller pretends to be from the Department of Education and asks for headteachers' email addresses so the headteachers can receive a "confidential form." They then send emails to those teachers with malicious documents attached. Once infected, files are locked, and the criminals demand an £8,000 ransom.

Dave Bittner: [00:06:05:19] The ransomware threat is affecting the security market. MarketsandMarkets predicts a 16.3% compound annual growth rate in the market for ransomware defense, rising from $8.16 billion in 2016 to $17.36 billion in 2021.

Dave Bittner: [00:06:24:01] You may have heard something about the Americans saying that the Russians were hacking away at political targets during the last election cycle? We're pretty sure we've heard something to that effect. Come on, we know you've heard about it, we've been talking about this since late Spring.

Dave Bittner: [00:06:37:17] Anyway, the US Senate held hearings yesterday on Russian election hacking. US Intelligence Community leaders reaffirmed their conclusions that Russian services successfully targeted the Democratic National Committee.

Dave Bittner: [00:06:50:06] Eyebrows are being raised in the media over the FBI's apparent reliance on CrowdStrike's forensics in its investigation of the DNC hack, but such reliance is not really surprising. DNI Clapper promises a full report next week. Rumor has it the report will detail how WikiLeaks got DNC emails. Rumor also has it that the tips came through cut-outs, so WikiLeaks may in fact have sincere or at least plausible deniability of knowing that it was being fed by Fancy Bear. President Obama is said to have been briefed yesterday. President-elect Trump has been scheduled for a briefing today.

Dave Bittner: [00:07:26:21] The story is, as they say, developing. What they call in the news business, "highly placed officials who spoke on condition of anonymity" are saying that the US Intelligence Community knows exactly which Russian tipped off WikiLeaks.

Dave Bittner: [00:07:40:13] We hope these are good leaks, not like that one about the Vermont power grid being hacked.

Dave Bittner: [00:07:45:02] Oh, and why are the high officials speaking on condition of anonymity? Because they're leaking highly classified information, says they. We don’t know. We don't deal with that stuff, because we're a family show. But it does seem to us a good thing NISPOM applies to contractors, or else those leakers would be in big trouble.

Dave Bittner: [00:08:09:14] Time to take a moment to thank our sponsor Cylance. Are you looking for something beyond legacy security approaches? Of course you are, so you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence.

Dave Bittner: [00:08:26:11] Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection.

Dave Bittner: [00:08:46:00] Visit to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:03:03] Joining me once again is Ben Yelin, he's a senior law and policy analyst for the University of Maryland Center for Health and Homeland Security. Ben saw an article come by in Ars Technica, the title of the article was, IRS to Coinbase. Please identify active US traders between 2013 and 2015. Coinbase is a popular Bitcoin wallet service. Help us understand what's going on here.

Ben Yelin: [00:09:25:23] So, the IRS actually generally has the right to request data through administrative requests; that's under the United States code section 7602. The reason that this case is unique is that the IRS would not be requesting information on any individual, or any individual that holds virtual currency. They're requesting information from every single user of this virtual wallet, this Coinbase system.

Ben Yelin: [00:09:52:07] So, while the request itself isn't unusual, it's the breadth of the request that I think is going to cause a lot of concern among people who are protective of personal information and people who are civil liberties advocates. The IRS hasn't spoken publicly about this request. Coinbase, while they say that they comply with all law enforcement administrative requests, have concerns about revealing the personal data of every single one of their users between 2013 and 2015.

Ben Yelin: [00:10:23:15] Granted, the IRS's request seem to indicate that there was at least reasonable suspicion, enough to get this sort of judicial order, that people had been trying to hide virtual currency as income, even though that income counts as property for tax purposes. So I think it's the breadth of this search that has opened some eyes, and it'll be interesting to see whether the IRS is able to have this request granted by a court.

Dave Bittner: [00:10:52:19] What in general is the IRS's relationship with these kinds of virtual currencies?

Ben Yelin: [00:10:58:06] So the IRS has issued a ruling on virtual currencies that took place in 2014, and it held that virtual currencies count as income property for tax purposes, so they don't get any sort of special designation. Now, property for tax purposes is slightly different than pure monetary income. It's more akin to holding or obtaining something of significant monetary value than actually gaining the money itself.

Ben Yelin: [00:11:26:04] But again, that IRS administrative ruling is relatively new, so we've only had one full tax year under this holding, and I think a lot of the way that the IRS treats virtual currency will become more evident in the coming years.

Dave Bittner: [00:11:44:01] Ben Yelin, thanks for joining us.

Dave Bittner: [00:11:51:04] Time for another message from our sponsor Cylance. You know you're probably looking for something that goes beyond legacy security approaches. So of course you're interested in something that protects you at machine speed and that recognizes malware for what it is. No matter how those bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence.

Dave Bittner: [00:12:09:04] Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection.

Dave Bittner: [00:12:29:22] Visit to learn about the next generation of anti malware. Cylance, artificial intelligence, real threat prevention, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:50:07] My guest today is Tony Cole from FireEye, where he's Vice President and Global Government Chief Technology Officer. FireEye recently released a report titled Questions and Answers: The 2017 Security Landscape. Obviously something at the top of mind for a lot of people is the new administration coming to Washington. I think it's fair to say there's a certain amount of uncertainty coming along with that. What's the report's take on that situation?

Tony Cole: [00:13:17:18] Well, it's very interesting. One thing we've seen a lot in the past, inside cyber and more outside than not, and that's the determination of many different adversaries at the nation state level, and other places, to actually go in and test the new administration's resolve in a number of different areas. Based on what's happened leading up to this election, we think that that's certainly a good possibility in 2017 as well, that we could see some nation states test the resolve of the US administration in cyber and other areas.

Dave Bittner: [00:13:49:11] What are we expecting from Russia and China?

Tony Cole: [00:13:52:03] More of the same from Russia. So they've been very clear, you know, with some of the attacks they've done over the past couple of years. We know they have a great capability. They're going to continue to actually test us, I think, across the board and many of our allies as well. On the Chinese side, I think we're going to continue to see a shrinking public facing attack on the nation state side, and more stealthy attacks taking place that are going to be hard to attribute directly back to the Chinese government.

Dave Bittner: [00:14:25:01] You mentioned in the overview of the report, one of the topics was What's Next for Less Security Mature Regions? I'm intrigued by that. What do you mean by less mature regions?

Tony Cole: [00:14:35:24] Yes, certainly. I spend a lot of time around the globe talking to governments and a lot of corporate organizations as well, and it's very clear to see that many of them don't even realize they're a target today. So, as those countries continue to grow and industrialize in this modern global economy, they become more and more of a target for nation states and organized crime to go after, while many of them today aren't mature enough in their security thought process to even realize that somebody is actually out there with these capabilities to go after them. So they don't think they have a problem, yet.

Tony Cole: [00:15:11:24] Obviously that becomes very clear very quickly to them once they're shown that they're compromised, and I emphasize a point, "shown that they're compromised", because most of the time they won't find it themselves. People often ask me, "Who's the best out there today?" and that's a very difficult question to answer because there's pockets of pretty decent, there's no pockets typically of excellence, and there's a lot of folks actually in the very lower tier not doing what they need to do.

Tony Cole: [00:15:39:06] So it's kind of hard to define that one as you look across the globe. I heard a good analogy many years ago. You can be the fastest soccer player in your team, that doesn't mean your team's any good.

Dave Bittner: [00:15:51:11] As you were putting the report together, were there any things that stood out that were surprising?

Tony Cole: [00:15:56:09] Yes, I think a few. One of the ones that did surprise me, the lack of awareness of many of the ICS system assets by security personnel tasked with protecting them. That's a big challenge. We need to work on the awareness piece for ICS as well as the user awareness, but that's a big challenge where they don't realize that they're a target and there are vulnerabilities in their systems.

Tony Cole: [00:16:18:14] The fact that many of those systems are put in place for decades before they're depreciated out of the environment is a challenge as well, because many of those vulnerabilities will likely never get fixed. I guess the other piece probably was the very large uptick in ransomware attacks and, I think, regardless of the efforts that law enforcement is working on globally in that area, that's going to be another area where it's going to continue to accelerate for 2017, something that's a major concern in regions that aren't very mature in their security thinking and processes and tools yet.

Dave Bittner: [00:16:54:00] And we have a continuing issue with not having enough personnel to fill the cybersecurity jobs, certainly here in the United States and we hear that around the world as well. Do you think that situation is going to change for the better or for the worse coming into the New Year?

Tony Cole: [00:17:10:02] I think it's going to be worse, and that's not because there aren't great efforts under way. The efforts here in the US with the information assurance schools of excellence, that NSA and now DHS as partnership have created, many efforts like that in other nations around the globe now. However, the fact that there were so many different verticals around the globe that simply weren't aware of the security issue, that hadn't done anything in this space, I think that the requirement for security expertise is going to far outstrip what we can generate. And I think that's going to drive further use of automation and machine learning inside security environments for security mature organizations to solve some of these challenges, because today it's a continuous poaching game for the experts that are out there, so one organization steals them from another.

Tony Cole: [00:18:03:18] So I think it's going to be really interesting and I would say one point that I think is going to be - I won't say fun because it's not fun - but interesting to watch is, if you look at the attacks that happened, the Russian focused attacks against the DNC here in the US, with upcoming elections in Europe specifically in Germany very soon; it's going to be interesting to see if Russia tries the same thing over there. I think the interesting part is everyone is aware of this now in mature countries out there around the globe, so it's going to be interesting to watch to see if they still attempt to actually manipulate the election, knowing that the Germans and other countries as well with elections coming up are watching very closely their systems to see if they attempt it.

Tony Cole: [00:18:47:23] So I think that's going to be fun to watch in 2017. It will at least be interesting and hopefully we'll push the Russians back on their heels a little bit in this space.

Dave Bittner: [00:18:57:02] That's Tony Cole from FireEye. And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible and special thanks to our sustaining sponsor Cylance. Learn more about how Cylance prevents cyber attacks at

Dave Bittner: [00:19:20:12] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody.