The CyberWire Daily Podcast 5.5.17
Ep 343 | 5.5.17

Influence operations and elections, and the difficulty of doing anything about them. Dynamite phishing investigation. Snake hisses at Macs. Fatboy at your (criminal) service.


Dave Bittner: [00:00:00:00] The CyberWire is made possible in part by smart and attractive listeners like you. Please check out our Patreon page at

Dave Bittner: [00:00:12:18] Elections and election influence operations in Europe and the difficulty of taming Fancy Bear. Some weekend reading. The Google Docs worm and dynamite phishing incident takes an odd, but implausible, turn. Snake malware seems poised to strike at Mac users. And there's a new product in the crime-as-a-service market. It's called "Fatboy". It speaks Russian, and, yes, it's ransomware.

Dave Bittner: [00:00:40:13] Time for a message from our sponsor, Palo Alto Networks. You can learn more about them at With the adoption of software as a service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Networks integrated platform provides detailed SaaS visibility and granular control, data governance, automated risk remediation and malware prevention. So organizations can achieve complete SaaS protection. Palo Alto Networks has the broadest, most comprehensive cyber security for all cloud and SaaS environments. Because secure clouds are happy clouds. Get started at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:41:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, May 5th, 2017.

Dave Bittner: [00:01:52:19] French voters will elect their next President this week-end and the election's final week has been roiled by accusations that Marine Le Pen's campaign "colluded" with Russia. Her opponent, Emmanuel Macron, currently holds a lead in the polls. Both candidates are relatively speaking outsiders. Macron says his organization experienced attempts to get at its emails and that these attempts were thwarted.

Dave Bittner: [00:02:17:24] In Germany, which will hold its federal elections on September 24th, the Director of the domestic intelligence service BfV warns that there agency has seen a marked increase in Russian cyber espionage directed at influencing the elections. Think tanks associated with both major parties in Chancellor Merkel's coalition government have been targeted. In both France and Germany, as was the case in the US, Russia's GRU, "Fancy Bear", as it's come to be familiarly known is the animal of interest.

Dave Bittner: [00:02:49:11] One might wonder then what effect Western countermeasures may have had on such Russian activity. WIRED magazine takes a look at what US sanctions did to slow down election-focused Russian cyber espionage and conclude that the sanctions accomplished essentially nothing. Fancy Bear is prancing through Western networks clad in the barest fig-leaf of plausible deniability. "Brazen" is what WIRED calls Fancy. According to New America Foundation analyst, Peter Singer, that's because sanctions are effective when they hold something valuable at risk. What's valuable to Russian president Putin, Singer thinks, is concealment of oligarchical corruption and his own personal wealth from the Russian public and sanctions are shrugged off because they haven't successfully exposed this.

Dave Bittner: [00:03:36:22] Those interested in the historical continuity of Cold War espionage and propaganda with current cyber and influence operations will find the National Security Archive's Cyber Vault Highlights just published by George Washington University worth consulting and it's all properly declassified and FOIA’d so presumably safe for work. No WikiLeaks dodginess about it. It's the Cyber Vault and that's not Vault7.

Dave Bittner: [00:04:02:20] Another set of readings worth consulting maybe found listed in Palo Alto's Cybersecurity Canon, their honor roll of books they think every cyber practitioner should consult and master. Every year, Palo Alto inducts a new class. We were at their gala in Washington last night and the books and authors are well worth your attention. Check out the CyberWire Daily News Brief today for a full list.

Dave Bittner: [00:04:26:05] The Google Docs worm phishing campaign has taken a very odd turn. Many remarked when it first surfaced on its similarities to the tactics, techniques and procedures used by Pawn Storm. You remember Pawn Storm, Trend Micro's name for what the other people call Fancy Bear, APT28 or the GRU. But attribution is notoriously difficult and it won't be easy here either because someone seems to be interested in muddying the waters.

Dave Bittner: [00:04:53:12] A person claiming to be a student at Coventry University says he was responsible for the episode and that it wasn't really an attack just a test or a trial. A test of what, or a trial of what, isn't clear. Nor is it clear that the person claiming responsibility is particularly plausible himself. Bleeping Computer calls him, "some Twitter dude", and that's not an unfair characterization. This Twitter dude identifies himself as "Eugene Pupov" but Coventry University says they've never heard of any Eugene Pupov and that Eugene Pupov doesn't appear to be one of their students. There are other grounds for skepticism too. For one thing the Twitter account @EugenePupov was registered essentially simultaneously with the attacks. Maybe that's legitimate but it certainly looks like a sign of track covering disinformation. Nor does the address that registered the account look right either. Finally, the account has a picture associated with it, as accounts do, and this picture is of another Pupov entirely, a presumably innocent and uninvolved molecular biologist at the Russian Academy of Sciences Institute of Molecular Genetics. So, no, the smart money is on Eugene Pupov not being at all who he claims to be. His Twitter account now seems to be gone too but while it was up it identified him as a white hat hacker. Few are convinced but, hey, stranger things have happened.

Dave Bittner: [00:06:20:01] Whoever's behind the incident, observers think OAuth abuse likely to continue. Google still gets good marks for quick reaction and containment of the incident but Motherboard makes note of the fact that people, including Google, were warned of the possibility of such dynamite phishing almost six years ago. Researcher, Andre DeMarre, described it to an independent standard setting body, the Internet Engineering Task Force, IETF, back in October, 2011 and now his warnings seemed to have come true.

Dave Bittner: [00:06:47:24] Snake malware, also known as "Turla", "Agent.BTZ" or our favorite, "Uroburos" is back and getting an upgrade. Fox-IT thinks it sees signs Snake is being prepared for use against Mac OS targets. The cyber espionage tool has been in use for about a decade targeting embassies, government organizations, colleges and universities, pharmaceutical companies and various researchers. Much of its activity has been focused on Ukraine but other targets in Europe and North America have also been hit. As is the custom, Snake poses as a legitimate app and it's often spread by phishing emails. So, Mac users, stay alert.

Dave Bittner: [00:07:27:24] Recorded Future describes "Fatboy", a new ransomware as a service offering on a Russian language criminal forum. Customer support is available over Jabber and there's even a user panel for customer engagement. High-Tech Bridge's, Ilya Kolochenko, sees this as a foreseeable evolution of the crimeware black market toward commodification. The same thing, after all, happens in legitimate markets. Kolochenko says, quote, "Ransomware is about business, not about technology," end quote and for now at least ransomware seems to be good business, for a bad business that is.

Dave Bittner: [00:08:07:21] Now, a moment to tell you about our sponsor, Control Risks. Control Risks thinks like your adversaries and knows that they attack as a means to an end. Whether you're worried about malicious insiders stealing intellectual property, state supported foreign competitors targeting M&A data or hacktivists looking to smear your reputation, one thing is clear, a standard technical approach to incident response is not enough to address the entirety of your problem and protect your business's future growth, profit, and brand. Control Risks has conducted more than 5,500 complex investigations in nearly 150 countries. Their 360 degree response framework pulls together their expertise in investigations, crisis management, network and host forensics, data analytics and legal compliance support. Effective response often requires more than standard incident response and how you respond can mean the difference between an isolated incident and an enduring crisis. Let Control Risks navigate you through it. Find out more at That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:09:26:07] And it's my pleasure to introduce a new partner to our podcast. I'd like to welcome Johannes Ullrich. He's the Dean of Research for the SANS Technology Institute but many of you probably know him as the host of the ISC StormCast podcast, another daily cyber security podcast. Johannes, welcome to the show.

Johannes Ullrich: [00:09:44:05] Thanks for having me.

Dave Bittner: [00:09:45:11] We just want to start off by way of introduction. Tell us a little bit about yourself, your background, and what brought you to cyber security podcasting.

Johannes Ullrich: [00:09:55:08] Well, I originally actually started out in physics. That's sort of where my career started and that's what I went for school-- to school for but while doing physics I also ended up doing a lot of computer work and with that also, well, I guess today you would call it Internet-of-Things but remote control of experiments. That sort of got me into security in part because, well, you get into security by being breached at some point. For me, it was pretty simple. The home system I used to remote control my experiments was actually abused by a spammer that then sort of got me into firewall security and all of that good stuff. One thing I realized back then was that it's really hard for someone to understand, when you're looking at your logs, so what does it all mean, what's important, what's not important. So, back in 2000, I started a system called that collects firewalls from volunteers around the world and that later then, as I joined SANS, became the Internet Storm Center and, well, what we're trying to do at the Internet Storm Center is to build a global information security sharing community and part of this of course is getting the word out, disseminating what's happening today out on the Internet and that's sort of where the daily podcast that I'm doing fits in.

Dave Bittner: [00:11:25:10] Alright. Well, it is not unlike the CyberWire. It's a daily briefing of cyber security news. We were joking before we got on the air here that you sort of cover the morning drive-time and we cover the afternoon drive-time. So between the two of us I think people really have all their cyber security news covered for the day.

Johannes Ullrich: [00:11:44:17] Right. My goal is to make you sound smarter when you arrive in the office in the morning. So if you listen to the podcast in the morning, you get the sort of low-down on the technical issues that happened. Little bit different from the CyberWire in that it really covers more of the politics and business also around security which is also very important. I try to focus a little bit more on the nitty-gritty technical details.

Dave Bittner: [00:12:09:21] Yeah. It's a great show. For those of you who haven't checked it out, it's the StormCast podcast, and Johannes Ullrich, we're real happy to have you join us here on the CyberWire. We'll talk to you soon.

Dave Bittner: [00:12:23:23] Here's some research from our sponsor, Cylance, that we think you'll enjoy. If you've been a CyberWire listener or reader, you're familiar with Eye Pyramid, a cyber espionage tool that had been quietly active in Italy's political and financial circles for several years until the brother and sister duo who were controlling it were snapped up by Italian police. It's a clever keylogger that exfiltrated sensitive information from infected machines and it did so while quietly disabling firewalls and various Window updates and services, the better to remain undetected. You can get the low-down on the still dangerous Eye Pyramid at See what Cylance's threat spot-light can show you about Eye Pyramid and how to protect yourself against it. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:13:21:19] My guest today is Allan Liska. He and Timothy Gallo are co-authors of the book, "Ransomware: Defending Against Digital Extortion." Allan Liska has worked as both a security practitioner and an ethical hacker.

Allan Liska: [00:13:34:01] Tim and I both work with a lot of different types of customers. What we were seeing very early on is that they were really concerned about ransomware, but we hadn't seen-- and this is late 2015, early 2016-- we hadn't seen as much of a response from the security community. There were a lot of blog posts and things like that but our customers were really feeling like their vendors were letting them down. And we realized, well, there's nobody that's really offering a lot of advice on what you need to do in order to protect yourself from ransomware if you're a corporation. So we king of got together and said, you know, "We should write a book on this because we're giving out a lot of the same practical advice over and over again." And if we can sort of take what we've been telling people ad-hoc and create a more formalized version of it then I think we'd have something that would be useful to a whole lot of people. The first three publishers we reached out to disagreed with us completely. None of them had any interest at all in the book and then we submitted it to O'Reilly and within 30 minutes we had a call-back from an O'Reilly editor saying, "Yes, this is a great idea. We really want to do this."

Dave Bittner: [00:14:59:24] What is it about ransomware that makes it a little tougher for people to wrap their arms around?

Allan Liska: [00:15:06:12] I think it's kind of strange. You know, there's the part around study that's done repeatedly that says that, you know, most breaches go undetected for, I think it's about 150 days right now. And so when you think of a breach especially in a corporation, most of the time the breach itself doesn't disrupt business operations. So your breached data is leaving your network for months possibly being undetected but the day-to-day operations of the business go on. It's only after it's discovered and, you know, and incident response kicks in and so on, that maybe some business operations are disrupted. Ransomware disrupts immediately. You know immediately that something bad happened in your organization and there's an immediate cost, right? There may be a cost afterwards if there-- if it's discovered that you had a breach especially if you were liable for something that happened, you know, if you were found to be negligent, but there's an immediate cost to ransomware. And so I think that's why it stays on the mind of so many people, it's because it's an attack that is very tangible to those organizations.

Dave Bittner: [00:16:28:18] Take me through some of the highlights of the book. What are some of the things that you all cover?

Allan Liska: [00:16:33:01] We start with the history of ransomware and then we dive in to kind of why-- you know, the economics of ransomware, why ransomware makes sense from the point of view of the bad guy. You know, a lot of people don't think about that but, you know, there are, there are organizations, in some cases professional organizations, that are behind these ransomware campaigns so understanding why they are doing what they're doing and, and, you know, why it's profitable for them to do this. We carve out a chapter to discuss whether or not you should pay the ransomware and despite our best efforts it's not just one page with the word, "No", written in 96 point font. It's more of a nuanced discussion around that. And then the bulk of the book is what can you, as an organization, do to protect yourself against ransomware. What are some steps that you can do? Both, both from a practical perspective, here's some things that we can secure and from an educational perspective, how can we know what's going on, how can we educate our users. And then we highlight some of the different types of ransomware and some of the biggest ransomware campaigns that are currently out there to give people a feel for the different approaches that ransomware authors are taking.

Dave Bittner: [00:17:56:13] While you all were doing the research for the book, was there anything that caught your eye, anything that surprised you?

Allan Liska: [00:18:03:07] I think the biggest thing that caught our eye-- and Tim and I have been involved in the info-sec world for a very long time and so we're aware of how bad guys work and how organizations work to protect themselves and some of the limitations that they have in protection but we were really surprised at the professionalism of some of the more advanced ransomware developers, you know, scheduled regularly cycles, patching their software, obviously operating help-desks which I'm sure you've seen out there. Those type of things that are really, really the signs of a professional organization and oftentimes working better than some, you know, legitimate software companies still.

Dave Bittner: [00:18:53:00] That's Allan Liska, co-author along with Timothy Gallo of the book, "Ransomware: Defending Against Digital Extortion." If you'd like to hear more about ransomware, there's an extended interview with Allan on the next episode of the Recorded Future inside threat intelligence podcast scheduled for release this coming Monday, May 8th.

Dave Bittner: [00:19:16:13] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor, Cylance, to find out how Cylance can protect you through their use of artificial intelligence, check out

Dave Bittner: [00:19:31:13] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Have a great weekend everybody. See you back here on Monday. Thanks for listening.