The CyberWire Daily Podcast 2.16.16
Ep 36 | 2.16.16

Ukraine grid hack investigation. Malware descriptions: Fysbis, Corkow. Ransomware news. UK police vs. Crackas.


Dave Bittner: [00:00:03:18] Ukraine's investigation of grid hack reveals Russian ISPs and phone calls. A look at the Fysbis Linux malware used by the Russian APT28 espionage group. It's not fancy, but it does the job. Researchers trace North Korean cyber operations, and South Korea upgrades its state of cyber alert. Bad news and good news on ransomware. Crackas and DotGovs react with both alarm and braggadocio to last week's arrest. French police collar an alleged bomb-threat specialist. And we hear from University of Maryland expert Jonathan Katz, who explains the underlying technology behind Bitcoin.

Dave Bittner: [00:00:39:24] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:01:02:13] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, February 16th, 2016.

Dave Bittner: [00:01:09:01] Ukraine continues its investigation into December's attack on segments of its power grid. That attack is now said to have been months in preparation, with reconnaissance beginning about six months prior to the attack itself. The latest statements from Ukrainian officials offer more evidence of a Russian connection. The attackers used a Russian ISP, and made phone calls from within Russia, but they stopped short of attributing the attack to the Russian government. Evidence for any such attribution remains largely circumstantial, but the Russian government remains a prime suspect in the incident. Investigators continue to focus on BlackEnergy, and think the attack itself was probably accomplished using compromised credentials.

Dave Bittner: [00:01:47:21] Palo Alto looks at Fysbis, Linux malware widely used by the Sofacy group, also known as APT28 or Sednit, and, as Palo Alto primly notes, a "cyber espionage group believed to have ties to Russia". While relatively unsophisticated, Fysbis is thought to retain its usefulness in part because of relatively underdeveloped awareness of Linux malware, and because many of its targets are business enterprises focused on Windows.

Dave Bittner: [00:02:14:13] Tensions increase on the Korean peninsula, as North Korea undergoes a protracted period of assertiveness and nuclear saber rattling. The Republic of Korea expects cyber attacks from the DPRK, and moves to a higher state of cyber alert.

Dave Bittner: [00:02:29:09] Kaspersky and AlienVault lend some credence to South Korean concerns. Researchers with the two companies describe the continued activity of apparent North Korean threat groups who participated in the cyber looting of Sony in 2014. They trace the attackers through a long string of exploits, ranging from DarkSeoul to the word-processing malware "Hangman." As is increasingly the case nowadays, the researchers stop short of saying, "the NORKs did it," but it's fairly clear where suspicion points. Other companies, notably FireEye, have attributed many of the incidents to the North Korean government.

Dave Bittner: [00:03:03:14] ESET has described the Corkow malware used in criminal manipulation of Energobank's currency trading platform. Unlike such retail banking Trojans as the better-known Hesperbot, Corkow targets banks as opposed to their customers, and so has received less popular attention. ESET does, however, regard Corkow as both evasive and capable. What's less clear is how its controllers monetized their attack. They don't appear to have profited directly from the attack, which leads ESET to speculate that the criminals either traded in the futures market, set up some third party for profitable trading, or were simply engaging in a trial run.

Dave Bittner: [00:03:39:07] The Hollywood Presbyterian Hospital, a large Los Angeles medical center, struggles to recover from an unusually tough to remediate ransomware attack. Here the price of recovery the criminals are asking is higher than most enterprises would be willing to pay: $3.6 million.

Dave Bittner: [00:03:55:17] Hollywood Presbyterian isn't the only medical center hit by ransomware. Last week the Lukas Hospital in Neuss, Germany, was the victim of TeslaCrypt.

Dave Bittner: [00:04:05:02] There was some good news over the weekend on the ransomware front. Security firm Emsisoft has succeeded in decrypting HydraCrypt and UmbreCrypt . So well done to Fabian Wosar and his crew.

Dave Bittner: [00:04:17:12] The arrest of an alleged Cracka with Attitude by police in the UK last week has prompted both heebie-jeebies and gasconade from other Crackas, and, unsurprisingly, DotGovs. They're chatting with their media contacts at Motherboard, saying such things as, "We are [worried]. I think I'll get raided before this month is up," and, "Our campaign will only intensify now," and, "If we find out who snitched Cracka out, we'll be coming after him or her." So there, snitches. Take that.

Dave Bittner: [00:04:45:09] The teen arrested in the Midlands Cracka-sweep remains appropriately nameless. So does a teen arrested last week in France. Identified only as "Vincent L.," this 18-year-old studies at a lycée in Dijon. He was also administrator of the Darkness[.]su XMPP service. His arrest came in connection with bomb threats issued over about a week at the end of January and beginning of February. The threats were hired crime, offered for sale by "EvacuationSquad." Vincent is out on bail, but will apparently be charged with failure to give the authorities his encryption keys.

Dave Bittner: [00:05:18:19] EvacuationSquad's declared motives were plausibly adolescent, especially the second and third.Hatred of the American government, hatred of authority, and a love of chaos. They charged between $5 for threatening a school to $50 for disrupting a "major sports event". Framing someone for a bomb threat, a particularly chilling service, was offered for $5. All of this could be paid in Bitcoin, no other currency was acceptable.

Dave Bittner: [00:05:44:08] How Bitcoin actually works is worth some attention. We caught up with the University of Maryland's Jonathan Katz and we'll hear from him after the break.

Dave Bittner: [00:05:51:14] But here's some news you can use should you travel to France in pursuit of a life of anonymous cybercrime. Failure to render your encryption keys to police who require them in the course of investigation can earn you up to five years in prison. Pas bon, eh mec? But of course this isn't legal advice, skids, do consult your attorney.

Dave Bittner: [00:06:11:00] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at

Dave Bittner: [00:06:29:12] I'm joined by Jonathan Katz, professor of computer science at the University of Maryland. He's also the director of the Maryland Cybersecurity Center, they're one of our academic and research partners. Jonathan, Bitcoin is always all over the news when it comes to all things cyber. It is the way that people exchange funds anonymously. Just give us an overview of how Bitcoin works.

Jonathan Katz: [00:06:49:07] So just to give a high level overview, there are obviously a lot of technical details involved but there are two key components I think. The first of those is how Bitcoins are created, and that's done by having miners run a cryptographic algorithm on their computers, and what they're doing is essentially looking for a solution to a moderately hard cryptographic problem that they expect to solve at predetermined time periods. So that prevents people from just mining an infinite amount of Bitcoins or from mining all the Bitcoins in existence and releases or ensures that Bitcoins are created at some fixed rate.

Jonathan Katz: [00:07:24:18] The second key component is the idea of the block chain, and again at a very high level, this is a distributed mechanism that people running the Bitcoin protocol will use to guarantee some kind of consistent view of the transactions going on in the system. So every time one person sends a Bitcoin to somebody else, they will tell the other people participating in the protocol about that transaction, and then they'll all run this distributed protocol involving the block chain to make sure that everybody agrees that indeed this person sent some amount of Bitcoin to somebody else.

Dave Bittner: [00:07:57:17] What's the mechanism for converting the Bitcoin into cash?

Jonathan Katz: [00:08:01:22] Well, some people would argue that Bitcoin's as good as cash because if you can spend it, then it's just like cash. But if you did want to take your Bitcoin and then convert them to US dollars, there are online exchanges that will allow you to do that. Bitcoin's really interesting because it kind of came up out of nowhere. It certainly didn't come from, as far as we know, any academic institution, and it was developed by somebody anonymously who just floated the idea out there and then all of a sudden it was adopted.

Jonathan Katz: [00:08:25:05] So part of what makes it interesting is that nobody really has a good understanding of the security that the Bitcoin protocol provides. There was no analysis really in that paper, no formal analysis certainly, and as far as we know, there may be flaws in the protocol that haven't yet been found. So one thing we're trying to do at the University of Maryland is come up with formal models of what security properties you might want from a protocol like this and then trying to determine whether the Bitcoin protocol actually satisfies them.

Jonathan Katz: [00:08:50:19] And on that note, I'll mention that you led off with your first question saying that Bitcoin is anonymous, and that's actually not true. It's a misperception. Bitcoin provides anonymity to the extent that it doesn't release your name when you're spending a Bitcoin, but there are in fact ways you can trace Bitcoin transactions.

Jonathan Katz: [00:09:07:01] And one of the other directions of research that we're looking at, is trying to come up with extensions of Bitcoin, generalizations of Bitcoin, next generation versions of Bitcoin, that might provide stronger guarantees like anonymity, true anonymity, or other things that you might want to improve about the Bitcoin protocol itself.

Dave Bittner: [00:09:24:05] Alright, so buyer beware. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:09:29:22] And that's the CyberWire. My thanks to John Petrik for filling in last week while I was away. For links to all of today's stories, along with interviews, our glossary and more, visit, and we truly appreciate your help in spreading the word about our podcast. You can review the show on iTunes, like us on Facebook, find us on LinkedIn and on Twitter.

Dave Bittner: [00:09:48:08] The CyberWire podcast is produced by CyberPoint International and our editor is John Petrik. I'm Dave Bittner, thanks for listening.