The CyberWire Daily Podcast 5.23.17
Ep 355 | 5.23.17

ISIS claims Manchester concert bombing. The case for a North Korean Wannacry. US lawmakers consider cyber legislation.


Dave Bittner: [00:00:00:22] Thanks again to all of our Patreon supporters. If the CyberWire is a valuable part of your day, please head on over to and learn how you too can become a supporter. Thanks.

Dave Bittner: [00:00:15:00] ISIS claims responsibility for the Manchester concert bombing. Security companies make their case for pinning WannaCry on North Korea. US legislators consider bills to upgrade equipment and permit hacking back. Plus, a community based approach to cyber resiliency.

Dave Bittner: [00:00:35:22] It's time to take a moment to tell you about sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP address. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:43:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 23rd, 2017.

Dave Bittner: [00:01:53:05] Authorities in the UK continue to investigate yesterday's lethal bombing at a Manchester concert. The suicide bomber has been identified as Salman Abedi, a 23 year old man who had previously come to the attention of authorities for an interest in ISIS. The "working theory" initially has been that Abedi acted alone but UK security agencies are looking for signs of co-conspirators. The lone-wolf working theory is provisional, with experts suggesting the nature of the bomb used indicates a support network and minimally the sort of planning it would have been difficult for a solitary terrorist to conduct. CBS news has reported that another young man was taken into custody in connection with the attack.

Dave Bittner: [00:02:35:21] 22 victims, including a number of children, have so far died in the attack. 59 others are believed to have been wounded. ISIS has been quick to claim responsibility in its online channels, characterizing the murdered victims, mostly young music fans as "polytheists," "Crusaders" and "worshipers of the Cross" and celebrating the attack in its now familiar narrative of inspiration aimed at recruiting and inciting similar terrorists. ISIS characterizes Abedi as a "soldier of the Caliphate." ISIS appears to be instructing its members to stay clear of social media activities that could bring them to the attention of law enforcement or intelligence services. Those same services are of course sorting through the online chatter and similar evidence.

Dave Bittner: [00:03:21:24] More circumstantial evidence points to North Korea as the responsible party in the WannaCry ransomware attacks. The apparent motive and clues in the attack code itself are consistent with a DPRK operation but, of course, the attribution remains provisional and tentative. A number of profiles have appeared of North Korea's Unit 180, a cyber operations organization thought to be behind the Lazarus Group and such operations as Dark Seoul. Symantec, which has been tracking WannaCry, now assesses a link to North Korea as "highly likely." That confidence, as reported by Ars Technica, is founded on these bits of evidence, many of them gleaned from earlier, more contained distributions of the ransomware.

Dave Bittner: [00:04:03:10] First, three bits of malware linked to the Lazarus Group were left on a network that sustained an early attack by WannaCry in February, the Trojan.Volgmer and two variants of Backdoor.Destover. Backdoor.Destover was a disc wiping tool the Lazarus Group used against Sony Pictures. Next, Trojan.Alphanc, used to spread WannaCry in March and April, is a version of the Lazarus Group's Backdoor.Duuzer. Bravonc, another delivery mechanism for WannaCry, used the same command-and-control IP address as Duuzer and Destover. Bravonc's obfuscation methods were significantly similar to WannaCry's and to other malware associated with the Lazarus Group. And finally, the Lazarus Group's Contopee malware has significant similarities to WannaCry itself.

Dave Bittner: [00:04:52:21] The EternalRocks campaign, which like WannaCry is based on the EternalBlue exploits the ShadowBrokers leaked, continues to appear more troublesome to most observers. Its goal is persistence. The purpose of establishing that persistence remains so far unknown but it doesn't appear to be a simple ransomware campaign. Its execution is superior to WannaCry's.

Dave Bittner: [00:05:14:18] It's worth noting that Polaris Alpha has suggested that WannaCry's apparent slipshod execution may have been a matter of design as opposed to ineptitude. The attackers may have been probing to test the response an attack on unpatched systems would evoke.

Dave Bittner: [00:05:31:03] The Cyber Resilience Institute is a national not-for-profit organization that says their mission is to help communities build operational and sustainable public private partnerships and cybersecurity information sharing environments. Doug DePeppe is co-founder and Board President of the Cyber Resilience Institute.

Doug DePeppe: [00:05:49:07] We take a cyber capacity building approach to communities, to localities.

Dave Bittner: [00:05:54:20] And so take me through how does that work? How do you engage with a co-- how do you identify a community and then how do you engage with them?

Doug DePeppe: [00:06:01:03] One of the key things that really helped us is we were funded by the Department of Homeland Security for a cyber market development project. So what we're engaged with now is building out a marketplace model. You know, there's a big effort now for information sharing in the ISOWs and ISACs and if you take that model and put it in a community, the question becomes how-- what is the business model? How does that sustain itself? There is a need for information sharing. It's a great idea. It's a defensive mechanism for situation awareness and we see that once you have that situation awareness, once you stand up your, your ISOW, it creates more market opportunities, because that growing awareness of the threat and even different technical sensing that reveals, you know, an indicator of compromise, that that then leads to greater interest in training and improving, you know, an organization's cyber resilience. So it just leads to additional services being needed, as well as the awareness of it creates demand. And so what we're-- under our contract, what we are building out, is a market based, a market forces, a marketplace based model in communities.

Dave Bittner: [00:07:24:06] From a practical point of view, what does the engagement look like?

Doug DePeppe: [00:07:27:14] The starting point is building a community. So we have a tool kit. It's called the C Champion Tool Kit. That's how a community wanting to affiliate with us, they can go onto a site and they can download the tool kit. And that just gives the basic organizing information, what's the value proposition, how to reach out in a community to your vendors, to your potential members and so on. It describes the business model. The other way that you can get started is we've started up a national cyber threat intelligence internship. So it's called the Crowd Sourced Cyber Threat Intelligence Internship, targeting different events as capstones. We have close to 100 students now across the country and we train them on cyber threat intelligence and analysis and then we use the event as the capstone activity, where we are generating intelligence, analyzing it and sharing it, both with our partners who are on the event side, as well as with government, if there's any law enforcement or, you know, critical infrastructure, government type threats.

Dave Bittner: [00:08:35:15] That's Doug DePeppe from the Cyber Resilience Institute.

Dave Bittner: [00:08:41:22] In the US, WannaCry and other recent incidents, including the ShadowBrokers' leaks, have prompted a flurry of legislative attention. The Senate is considering the PATCH Act, which would place the Intelligence Community's Vulnerability Equities Process on a legal foundation. The House has passed a bill that would speed IT modernization within the Federal Government with a view to increasing security by closing the vulnerabilities legacy systems present.

Dave Bittner: [00:09:07:07] Also in the House, a member has introduced a bill that would mandate a review of the role played by cryptocurrencies in financing terrorism. Such investigation would be based to a significant extent on a priority probability, as opposed to specific indicators.

Dave Bittner: [00:09:22:11] And finally, WannaCry itself seems to have prompted bipartisan introduction of the Advanced Cyber Defense Certainty Act in the House. The proposed legislation would empower US companies hit by cyber attack to "hack back" under certain circumstances. For a useful thought experiment on how such hacking back might play out in practice, we recommend looking at the Atlantic Council's Cyber 912 exercise. You'll find a description on our site at

Dave Bittner: [00:09:56:18] A quick note about our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact, unsupervised machine learning can show the humans something unexpected. Cut through the glare of information overload and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:11:01:12] And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, your work takes you around the world and recently you were over in Europe and that got you thinking about some of the coming privacy regulations.

Emily Wilson: [00:11:15:08] Absolutely. You know, we, we here certainly in the industry in the States have conversations about privacy regulations all the time and we're looking and hoping to see these have an impact at a national level. But, yeah, I was recently in the, recently in The Hague, in particular. It was really interesting to talk to people about how they're thinking about privacy, especially as Europe as a whole is approaching, you know, the, the GDPR Regulation that's coming into effect next year. I think we're going to see some really interesting changes in expectations in innovations and in evaluations of these companies and in software as people scramble to get ready for this GDPR.

Dave Bittner: [00:11:55:15] And it's going to affect companies of all sizes?

Emily Wilson: [00:11:57:20] Absolutely, right. This isn't just companies that hold a certain amount of personal information. This is everything from your massive conglomerates to, you know, your, your smaller or medium sized businesses. Now everyone is responsible for the data and they really are responsible. This is, this is not regulation that I think we're going to see moved. This is a hard deadline people need to prepare for.

Dave Bittner: [00:12:18:17] And how about if you are an American company who may be doing business overseas, may not know if you've got customers who are overseas, this will be-- this will have an effect on you as well?

Emily Wilson: [00:12:27:10] Absolutely. I really think that we're going to see some, some trickle down or some flow over effects of this as, as these companies, big and small who are operating internationally kind of need to prepare for this. You know, are these companies going to just handle their European data? Are they going to, you know, make some broader changes across their organizations? I think it's going to be an interesting year.

Dave Bittner: [00:12:48:10] So, do you think we'll see a global shift towards more privacy, just because it'll be easier for people to obey the rules of the European Union? To have one set of rules, I guess is what I'm getting at, rather than try to cherry pick around the world?

Emily Wilson: [00:13:00:22] I think the conversations that we see happening as European companies and as companies who operate internationally prepare for GDPR will help to structure the conversations that are happening kind of internationally or domestically here in the States. But I don't know if I'd go as far to say as people are going to move toward one particular type of regulation or legislation on this. I think we're going to see a lot of people holding off and punting for as long as possible, which is unfortunate.

Dave Bittner: [00:13:33:17] All right, interesting stuff. Emily Wilson, thanks for joining us.

Dave Bittner: [00:13:39:01] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence visit Thanks once again to all of our supporters on Patreon and to find out how you can contribute to the CyberWire go to The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.