The CyberWire Daily Podcast 3.16.17
Ep 307 | 3.16.17

Lazarus Group is back. Dun & Bradstreet loses data; so does ABTA. Patriotic cyber rioting or state influence operations. US indicts four in the Yahoo! breach.


Dave Bittner: [00:00:03:16] The Lazarus Group is back, or maybe it never really left. A Dun and Bradstreet database is compromised, more than 33 million are said to be affected. British Travel Association ABTA suffers a breach. Notes on identity theft. Netherlands voter information sites hit with DDoS, Turkish hacktivists or government operators are suspected. And the US indicts four in the Yahoo! breach, two of them have FSB connections.

Dave Bittner: [00:00:35:01] Time for a message from our sponsor, Dragos. There are SOCs for this and SOCs for that, our sponsor Dragos would lead you out of that SOCs box because not all SOCs are good for your SOCs and ICS won't fit into IT SOCs. Well, that's how Dr Seuss might have put it, but, Dragos can explain it in a manner fit for adults. They've got a new white paper that can help any organization that operates industrial control systems work through the challenges of establishing a security operations center that meets its distinctive needs. Most SOCs are modeled on the ones that have been built for IT systems, and they're just not cut out to fit industrial control systems. Go to and download the white paper now. Build your SOC right and you'll build yourself a capability that meets and grows with your ICS needs. Again, that's Dragos, for ICS insight. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:39:08] Major funding for the CyberWire podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 16th, 2017.

Dave Bittner: [00:01:49:20] The Lazarus Group is back, the North Korean hacking syndicate implicated in earlier instances of both fraud, as in the Bangladesh Bank SWIFT caper, and data theft, as in the Sony hack. Symantec has fingered the Lazarus Group for a wave of bank fraud in 31 countries. The Lazarus Group is widely believed to be a criminal operation run by and on behalf of the Kim regime in North Korea. The affected banks in the latest Lazarus Group campaign were concentrated in Poland, with the US, Mexico, Brazil and Chile being home to other heavily targeted institutions.

Dave Bittner: [00:02:25:05] Pyongyang is facing an economic pinch that squeezing even a society as austere and devoid of ordinary markets as the Democratic People's Republic of Korea. When China embargoed North Korean coal imports in response to that country's missile tests last month, observers predicted a surge of cyber crime to make good the loss of North Korea's single biggest source of funds. Pyongyang has denied any involvement with the Lazarus Group's activities, citing reports to the contrary as foreign provocations, orchestrated from Seoul, Washington and other parts of the civilized world.

Dave Bittner: [00:03:00:07] Dun & Bradstreet sustained a data breach that exposed contact information for some 33.7 million persons employed by companies and US government agencies. D&B acquired the database when it bought NetProspex in 2015, which should arouse some interest in cyber risk assessment during M&A due diligence. Who illicitly obtained the data, how did they get it and for what end remains matters of investigation.

Dave Bittner: [00:03:26:03] There's been another smaller, but still significant breach, at ABTA, Britain's largest travel trade organization. ABTA disclosed that some 43,000 individuals may have been affected in an attack that came through a web server maintained for ABTA by a third party vendor.

Dave Bittner: [00:03:43:10] Breaches of this magnitude always rightly arouse concerns about identity fraud, NuData Security's Lisa Baergen noted to us the role criminal aggregators now play in facilitating identity theft. They cross reference and assemble surprisingly complete identities which they sell on the black market. Such comprehensive identities are called fullz in the criminal markets, that's F U L Z for those who may not speak Leet fluently, and fulz enable criminals to do an awful lot in the name of their victims, including accessing victim's legitimate consumer and social media accounts. Younger people seem most targeted, lots of under 30's and, even more disturbingly, lots of under 21s.

Dave Bittner: [00:04:25:09] NuData shared some advice on how to reduce your risk of identity theft in social media. First, be selective and careful about who receives your status updates, second, do some profile maintenance, clean up your posts. Third, use the highest, most restrictive security settings available. Fourth, don't share personal information without necessity, birthdays, addresses, phone numbers, shouldn't be posted everywhere. Fifth, don't use obvious personal information for security questions, and don't expose the answers to security questions online. Your high school, your grandmother's name, your pets, all of these show up too often in authentication questions. Finally, watch for changes to your credit score and odd charges on your bank and credit card statements, and, if you're a victim, by all means report it to police, banks and others who can help you.

Dave Bittner: [00:05:13:13] Tensions between Turkey and EU members, Germany and the Netherlands, appear to have been manifested online, most recently in a distributed denial of service attack two Dutch voter information sites suffered yesterday. Many, perhaps most observers, see this as Turkish government inspired and possibly Turkish government directed. It demonstrates, again, the difficulty of distinguishing state action from patriotic cyber rioting, and also how low the barriers of entry to political influence operations have fallen.

Dave Bittner: [00:05:43:06] There's been an evolution of attacks from state sponsored actors and hacktivists, and organizations are investing in a variety of technologies to help protect themselves. Tim Bandos is Director of Cybersecurity for Digital Guardian.

Tim Bandos: [00:05:56:15] From a state sponsor perspective, basically these are groups of individuals or organizations that have the intent of stealing intellectual property, information that can either improve maybe their economy, something that they can sell for whatever reason, and hacktivists is really, you know, some sort of cause associated with breaking into an organization. One of the last companies that I worked for, one thing that we specifically worked on was genetically modifying GMO type technology, and that was heavily against a particular threat group, so they would commonly target us and attempt to break into our organization or cause some sort of denial of service.

Dave Bittner: [00:06:31:23] So, take me through what do those types of attacks from those groups typically look like?

Tim Bandos: [00:06:36:06] From a state-sponsor perspective, one thing that we would is commonly targeting phishing emails, spear-phishing attacks, but we also saw that evolution. They were leveraging third party networks as an entrance factor, so they would target that organization and come in laterally, or, they would leverage some sort of proof of concept technology that we just stood up out of nowhere, and they were even aware of that. So, now you run into this is there a potential insider also feeding outsider, that type of information.

Dave Bittner: [00:07:01:16] Even with all the advancements in technology, it still comes back time and time again to the human factor. You talk about insider threats, what's your take on the best ways to protect against that?

Tim Bandos: [00:07:13:17] Yes, so from an insider threat perspective it's, one, having visibility into your data movement, where your classified files are - understanding contextually your environment. Then, when you see those things triggering within a solution like a data loss prevention type technology, you can respond a lot quicker and you're aware of that from that perspective. One thing that we saw a lot of times, when individuals actually leave a company, they'll do a massive download to a USB device and then take that technology over to the new company. Technology like DLP can actually prevent that type of activity from occurring or at least detect it and notify the analysts. However, you're also hearing about technology such as EDR, the end point detection and response capabilities or technology. That's a huge push and I think everyone's kind of moving towards that now; gone are the days of just primarily relying upon anti-virus or firewalls, they really want to have visibility into what's actually happening on the end points because we're at this point now where we just assume that a breach is going to happen or it can occur, so notifying or identifying that activity when it occurs is I think success, and then you can kind of remediate and neutralize the second that something happens.

Dave Bittner: [00:08:23:08] That's Tim Bandos from Digital Guardian.

Dave Bittner: [00:08:26:22] The US Justice Department has indicted four men in connection with the Yahoo! Breaches. Three are in Russia, Dmitry Aleksandrovich Dokuchaev, Igor Anatolyevich Sushchin and Alexey Alexseyevich Belan, the fourth, in Canada, Karim Baratov. Baratov and Belan are described as criminal hackers, but Dokuchaev and Sushchin are said to be FSB officers. Major Dokuchaev is in trouble with both the US and Russia, he appears to be one of the FSB officers currently facing charges for treasonously providing information to Americans. Dokuchaev worked in the FSB Center 18, responsible for liaison with the US FBI in matters touching cyber law enforcement. Police in Montreal have Baratov in custody and he will probably wind up before a US court. The others are being named and shamed.

Dave Bittner: [00:09:20:11] It appears that the FSB used criminals as, in effect, contractors. Belan and Baratov had apparently been turned by the FSB, which used them to help it gain access to Yahoo! data. The FSB was presumably interested in sweeping up the sort of personal information that might prove useful in intelligence work, compromising potential agents, that sort of thing. Belan and Baratov were profiting on the side in the customary criminal market channels.

Dave Bittner: [00:09:48:05] American authorities have asked Canadian police to seize Baratov's snazzy cars, they assert that the rides should be forfeited as fruits of his criminal activity. So expect to see a swell BMW turn up at a US Marshall's auction near you. One owner, low mileage.

Dave Bittner: [00:10:09:16] We'd like to thank our sponsor, Palo Alto Networks. You can visit them at With the adoption of software as a service applications, data now lives beyond the traditional network perimeter, exposing your organization to more malware and threats. Palo Alto Networks helps your organization achieve complete SaaS protection, with detailed SaaS visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all cloud and software as a service environments, they know that secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:11:06:00] And I'm pleased to be joined once again by Markus Rauschecker. He's the Cybersecurity Program Manager at the University of Maryland's Center for Health and Homeland Security. Markus, I saw an article come by on the Bloomberg Law blog, a big law business, and it was talking about how cyber lawyers are likely to be playing a bigger part in mergers and acquisitions?

Markus Rauschecker: [00:11:26:06] Yes, I think that is true. Lawyers are certainly playing a larger and larger role in the cybersecurity field in general, but, when talking about mergers and acquisition deals specifically, I think lawyers are going to be playing a larger role because they need to look at and examine any potential problems that might arise for the company that is acquiring another company, in terms of cybersecurity problems. There is, of course, the potential that the company that's being acquired has suffered a breach and doesn't even know about it yet so, once the merger or acquisition goes through, the company that has acquired the other company could potentially take on all of the issues associated with that data breach, and that could mean a huge cost later on down the road. So there needs to be some analysis of these potential issues and I think lawyers are the ones to really help out in that regard.

Dave Bittner: [00:12:23:17] Yes, and certainly the deal going through with Verizon and Yahoo! has brought this issue to the fore?

Markus Rauschecker: [00:12:30:16] Oh absolutely, yes. These breaches were all revealed after their merger and acquisition negotiations had commenced already with Verizon, and so now Verizon, of course, is thinking about its dealings with Yahoo! And a lot of people were asking does this mean, now that we know about these data breaches, that Verizon will pull out of the negotiations? But it doesn't look like that's going to be the case. Apparently, the acquisition price has dropped a little bit, about 250 million, but that's not all that much when we're talking about an almost five billion dollar deal.

Dave Bittner: [00:13:10:24] Yes. I think this speaks to a trend that we've heard about, certainly in the last year or so, which is that these cyber issues are gaining more and more attention in the boardroom.

Markus Rauschecker: [00:13:23:09] Oh, absolutely. Yes. Cybersecurity's not only for technologists anymore, lawyers and executives are playing a much larger role when it comes to cybersecurity. The boardroom needs to be fully aware of all of the cybersecurity issues that a company could be facing, and that means that lawyers need to be involved as well to provide the legal advice when it comes to cybersecurity issues. So it needs to be a consideration at every level of a company, from the boardroom all the way down to the tech and everyone else involved in the company as well.

Dave Bittner: [00:14:02:10] All right, Markus Rauschecker. Thank you for joining us.

Markus Rauschecker: [00:14:04:06] Thank you very much.

Dave Bittner: [00:14:07:21] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance uses artificial intelligence to keep you safe and secure online, check out

Dave Bittner: [00:14:21:07] The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thank you for listening.