The CyberWire Daily Podcast 4.24.17
Ep 334 | 4.24.17

Nation-state tensions in cyberspace over North Korean threats and presumably Russian cyberespionage. Locky returns. More pharma spam. Seleznev gets 27 years for carding.


Dave Bittner: [00:00:03:10] Cyberattack worries mount with international tensions over North Korea. France's first-round presidential elections conclude with two outsiders headed for the finals. WikiLeaks' and ShadowBrokers' leaks find their way into the criminal wild. The US shows renewed interest in prosecuting WikiLeaks' Assange. Locky ransomware is back from the dead. More Canadian pharma spam. Seleznev gets 27 years for carding. And notes on some less than fully successful criminals.

Dave Bittner: [00:00:37:20] Time to thank our sponsor, Palo Alto Networks. You can visit them at With the adoption of software as a service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Networks' integrated platform provides detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention so organizations can achieve complete cloud security even in SAS applications. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all cloud and software as a service environments because secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:40:01] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, April 24th, 2017.

Dave Bittner: [00:01:49:19] Concerns about cyberattack, as usual, follow in the train of rising international tension. This can be seen currently as US worry about North Korean hacking, prompts conversations about US vulnerability to cyberattacks directed by Pyongyang. Kasperksy has been reminding the world that the Lazarus Group, implicated most famously in the partially successful funds transfer fraud committed against the Bangladesh Bank in February 2016, is connected to the North Korean regime by strong circumstantial evidence. The US has also accused Pyongyang of the November 2014 Sony Pictures hack.

Dave Bittner: [00:02:26:11] While the Kim regime's recent talk has been decidedly kinetic with much lurid propaganda involving promised missile strikes and widespread nuclear devastation, delivered for the most part in the characteristic model airplane aesthetic of jushe culture, that country's missiles are regionally dangerous but not yet capable of the promised havoc. cyberattack is thought much more likely.

Dave Bittner: [00:02:49:21] A study HP conducted in 2014 remains a good guide to North Korean capabilities. The report estimated the size of North Korea's offensive cyber force as some 6,000 personnel, some of whom operate under clandestine illegal cover in foreign countries, China among them.

Dave Bittner: [00:03:06:17] Infrastructure targets, including well-defended financial networks and arguably more vulnerable power grids, are thought to be at risk. Small and unrelated power outages last week in New York, Los Angeles and San Francisco are being talked about as cautionary examples. The disruptions all appear to have had accidental non-cyber causes but they have underscored potential vulnerabilities in the grid.

Dave Bittner: [00:03:31:06] China's government is none too happy about North Korean behavior either, but their reaction is a complex one, an embargo on North Korean coal exports, but also unhappiness over South Korean efforts to build up defenses against missile attack. China is specifically concerned, according to analysts at security company FireEye about South Korea's deployment of missile defenses in the form of the Terminal High-Altitude Air Defense, or THAAD, system. The PLA has targeted its cyber espionage assets accordingly.

Dave Bittner: [00:04:02:21] The first round of France's presidential election concluded yesterday. The runoff will be between Emmanuel Macron and Marine Le Pen, both outsiders, both regarded as populists. No word yet on whether the feared foreign influence operations appeared in this election but the finals will be watched closely.

Dave Bittner: [00:04:21:12] WikiLeaks' release of alleged CIA cyber espionage tools in Vault 7 continues to prompt concerns over the risk all enterprises face when such tools hit the wild. Similar concerns surround the presumably independent release by the ShadowBrokers of what the group claims are NSA tools. One of those, the DoublePulsar backdoor affects large numbers of unpatched Windows machines worldwide; 36,000 according to estimates by security firm Below0Day. Countercept has released a tool that promises to determine whether a system has the DoublePulsar implant and, of course, users are advised to patch their systems.

Dave Bittner: [00:05:02:03] US investigations of the apparent leaks proceed, but without much public comment about progress. The US Justice Department has taken a renewed interest in indicting and prosecuting WikiLeaks' Julian Assange, still resident in Ecuador's London embassy. How he might be charged is still unclear. Assange's attorneys position their client as a journalist and argue that his prosecution would be tantamount to an attack on press freedom. A former official who worked on the matter during the previous US administration told Foreign Policy that, "The problem with the investigation was finding a case that you could bring against Julian Assange that wouldn't also apply to reporters from every major US media outlet". Mr. Assange, it's worth noting, has taken refuge in the Ecuadorian embassy to avoid extradition to Sweden on charges unrelated to WikiLeaks.

Dave Bittner: [00:05:53:21] Locky ransomware, recently given up for dead, is back. The revenant malware is being distributed by the newly active Necurs botnet. Experts agree that regular secure backup of files is the best thing you can do to protect yourself from the effects of a ransomware attack. You'll be inconvenienced but you won't lose irreplaceable data.

Dave Bittner: [00:06:13:14] Google has booted SMSVova spyware from the PlayStore. SMSVova cloaked itself inside a bogus system update app that promised users that it would keep their Android devices up to date. Researchers at security company, Zscaler, say that between one and 5,000,000 users downloaded the app over the past three years. SMSVova was particularly interested in harvesting location data.

Dave Bittner: [00:06:39:02] Researchers at security company Incapsula reported finding a large and evasive spam campaign hawking counterfeit pharmaceuticals, the usual discount Viagra come-on. More than 80,000 unique IP addresses are serving the spam. It's a large criminal campaign, the latest iteration of the Canadian pharmacy scam long pursued by organized gangs, most of which appear to be headquartered in Russia and Ukraine.

Dave Bittner: [00:07:06:15] A US court at the end of last week handed down the stiffest sentence on record, 27 years, to Roman Valeryevich Seleznev, Russian carder and son of Valery Seleznev, an influential member of Russia's Duma. Seleznev was arrested while on holiday in the Maldives in 2014, extradited via Guam to Seattle and convicted in August 2016. In mitigation he unsuccessfully pleaded a difficult Vladivostok life, the details of which do indeed sound sad, his mother's death to alcohol poisoning, a bombing, an unpleasant divorce. Still he had been something of a princeling. The Russian government, for example, took sufficient notice of his arrest to mount an ultimately unsuccessful campaign denouncing it as kidnapping, and the US court apparently was more moved by the damage Seleznev's carding worked. Many of his targets were small businesses, at least some of which were driven into bankruptcy by Seleznev's crimes.

Dave Bittner: [00:08:05:20] Two more stories of crime and punishment are worth mentioning, neither one a case of criminal genius at work. In one a guy stealing smartphones at the Coachella festival apparently forgot about Find-my-iPhone. He had about 100 stolen devices in his backpack when he was collared.

Dave Bittner: [00:08:22:09] And in New York it's come to light that the FBI earlier this month arrested an IT engineer on Wall Street for hacking into his employer's servers. The Feds think he was stealing proprietary source code. The gentleman under official suspicion said he was worried about his job and so was looking into people's emails to see if he was about to be fired. Fired he was, the very act taken to avert his fate working to bring that fate about. It's like Dumb And Dumber, only written by Sophocles.

Dave Bittner: [00:08:56:22] And now a moment to tell you about our sponsor, Control Risks. As your company grows and the global business environment becomes more complex, it gets harder to identify your blindspots and figure out how to see into them. It's now more important than ever to understand how protecting your systems and data require visibility beyond your network. Control Risks supports its clients by increasing their situational awareness and proactively securing their operational environment, no matter where it is. Using their global reach and local risk expertise, they have a unique approach to identifying and mitigating their clients' information security risks. From cyber due diligence assessments of third parties around the world to multi-jurisdictional cybersecurity regulatory reviews to cyber threat assessments that account for sociopolitical and economic risk indicators and more. There is uncertainty on the journey toward your business goals. Control Risks brings order to the chaos and reassurance to the anxiety. Find out more at That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:10:11:13] And joining me once again is Emily Wilson, she's the director of analysis at Terbium Labs. Emily, we had this story not too long ago about the emergency alert sirens in Dallas being set off and it turns out this was not so much a cyber connectivity issue or anything like that. These sirens are triggered by an RF signal, a radio signal, and someone took advantage of the fact that these systems respond to those RF signals in the clear, there's really no protection against them. You wanted to make the point that some people are out there to do things for the spectacle of it and that can have some unintended consequences.

Emily Wilson: [00:10:52:12] Absolutely. In this case originally in the news we saw people referencing a hack as you described. The immediate assumption there is somebody has a laptop somewhere that they shouldn't or there's something wrong with the software.

Dave Bittner: [00:11:07:07] Right. But it's interesting in this Dallas case, I think it's fair to suppose that whoever did it may have been just doing it for the laughs or to prove a point that they could do it but there were some consequences. The 911 systems were overloaded for a period of time and people who had other types of emergencies may not have been able to get the services they get. I suspect that that may have been an unintended consequence of the person who did this.

Emily Wilson: [00:11:37:05] Sure. I think you also saw a range of reactions from people in Dallas. I'm sure no-one was happy it was happening but you saw some combination of people being confused or making jokes to people being genuinely concerned, people being afraid. Is this a terrorist attack? Is there something going on? Am I safe? I think these spectacles can definitely have unintended consequences. The same thing when we see certain types of data showing up or certain types of exploits being traded around; it's the stuff beyond vandalism. Sometimes people really want to make a splash and you think about something like the medical records being dumped after the Olympics from the World Anti-Doping Agency. Big spectacle, big conversation but now you have personal information out there about all of these athletes that they can't change. It's not like a credit card, you can't reissue it. The spectacle's going to cause a lifelong problem for some of these people.

Dave Bittner: [00:12:34:15] So the motivation of the people releasing those records may have been as simple as, "Oh, yes, watch this," without really thinking through or considering the long-term consequences for all the people who are innocent bystanders of a drive-by attack.

Emily Wilson: [00:12:48:20] Absolutely. I think we're all wondering now, "Are we going to see copycats of this Dallas style siren fiasco? Are we going to see people poking at other things? What else can I do with radio frequencies?" And maybe, hopefully, I suppose, this will have far-reaching impacts on conversations about things we never thought we'd need to encrypt.

Dave Bittner: [00:13:16:13] Right, yes. I mean, these siren systems have been out there for 50 years or more and this hasn't been a problem and now everybody knows about it and knows how to do it. Does that mean steps will have to be taken to lock them down?

Emily Wilson: [00:13:28:24] Right. And what else besides the sirens? What else could be a problem and how do we begin to think about this and allocate these resources? What is this going to mean for other cities, smaller cities? As you mentioned, when the 911 system shuts down, then you're not just talking about an annoying noise, you're talking about potentially life and death situations because someone wanted to have fun.

Dave Bittner: [00:13:55:07] Right. All right, Emily Wilson, thanks for joining us.

Dave Bittner: [00:14:01:11] And that's the CyberWire. For links to all of today's stories, interviews, our glossary and more, visit Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. They're the company keeping your data safe with artificial intelligence. You can check them out at

Dave Bittner: [00:14:19:11] A quick reminder about the new podcast we're excited to be producing in partnership with our friends at Recorded Future. It's focused on threat intelligence. It comes out once a week and we hope you'll check it out and help spread the word. You can search on iTunes for Recorded Future or visit Thanks for checking it out and we'd love to know what you think.

Dave Bittner: [00:14:39:11] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.