The CyberWire Daily Podcast 6.12.17
Ep 368 | 6.12.17

CrashOverride implicated in Ukraine grid hack—possibly as a proof-of-concept. Hack-induced Gulf diplomatic troubles continue. New malware strains, exploits appear.


Dave Bittner: [00:00:00:23] I want to give a quick shout out to our latest Patreon supporters - thank you so much for helping us do what we do here. If you want to help support the CyberWire, go to to find out more.

Dave Bittner: [00:00:14:22] Dragos and ESET bring clarity and bad news to investigation of December 2016's Ukrainian power grid hack. Qatar and its neighbors try to sort out hack-induced diplomatic troubles, DoubleSwitch social media malware hijacks dissidents' accounts. CertLock impedes removal of unwanted programs by security software. MacSpy and MacRansom appear as malware-as-a-service offerings. AMT vulnerability exploited in the wild, and China arrests 22 for trading in stolen iOS user data.

Dave Bittner: [00:00:51:13] I'd like to tell you about some research from our sponsor, Cylance. You've heard a lot lately here and elsewhere about WannaCry, the sloppy but dangerous ransomware campaign that became a pandemic. Our sponsor, Cylance has a few things to say about it you may not have heard elsewhere. WannaCry spread as a worm and a nasty surprising one, so a lot of legacy defenses didn't stop it. Cylance says its AI did. In fact, if you'd had Cylance's artificially intelligent software running on your systems, you'd have been proof against WannaCry infestations. Go to and check out the post on Cylance versus. WannaCry. Their math-driven models make the unknown cyber threats known, and stop them from hitting you. Visit, and see what they can do for you while the next WannaCry is just a gleam in the attacker's eye. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:54:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, June 12th, 2017.

Dave Bittner: [00:02:04:13] Security firms ESET and Dragos have been working together on malware samples obtained by ESET, and they have some insight into what those samples mean: the likelihood of more, and more effective, attacks against power grids. The researchers released a report today on the malware that hit Ukraine's power grid last December.

Dave Bittner: [00:02:23:09] They're calling the attack code "CrashOverride" or "Industroyer," and they compare it to Stuxnet, in terms of the severity of its threat to physical systems. CrashOverride is modular and readily tailored to its targets.

Dave Bittner: [00:02:37:09] Dragos calls this, "the first ever malware framework designed and deployed to attack electric grids," and reckons it as the fourth piece of what they characterize as "ICS-tailored malware." The predecessors will be familiar: Stuxnet, which was deployed against Iranian uranium-refinement centrifuges sometime between 2005 and its discovery in 2010, BlackEnergy 2, which was used in spearphishing connection with the disruption of power in Eastern Ukraine on December 23rd, 2015, and Havex, a remote-access Trojan discovered in 2014 during investigation of industrial espionage campaigns in Europe.

Dave Bittner: [00:03:16:09] CrashOverride resembles Stuxnet in that it was used to disrupt physical processes. On December 17th of last year an electrical substation in Ukraine was taken offline to disrupt power in the vicinity of Kiev. Dragos thinks that incident now looks like a proof-of-concept. The authors of the malware devoted considerable effort and attention to understanding the operating environment of Ukrenergo, the power utility affected in December 2016.

Dave Bittner: [00:03:45:01] CrashOverride was not designed to work against any specific or narrow set of vendor systems. It is, in effect, a platform that can be used to attack a wide variety of industrial targets. It's modular, extensible, and can be used simultaneously at more than one site. It has no espionage functionality; this is more than spyware: it's malware designed and used specifically to take down an electrical utility. In principle, although there are no signs of this yet, CrashOverride could be adapted to attack systems in other industrial sectors.

Dave Bittner: [00:04:17:20] Dragos thinks the Electrum threat group is behind the malware. They also believe Electrum is directly tied to the Sandworm group, a cyberespionage crew generally regarded as working for Russian intelligence services. And so the Ukrenergo attack now looks more like a dry run than it had before.

Dave Bittner: [00:04:36:06] Al-Jazeera appears to have largely recovered from last week's cyberattacks, the precise nature of which remains unclear. It sounded initially like a distributed denial-of-service incident, but if it was a DDoS attack, it seems to have been largely unsuccessful, since the network experienced relatively few problems with availability. The attacks do appear to figure in the larger campaign of hacking and disinformation aimed at splitting Qatar from regional Arab allies. Whether Al-Jazeera was hit by the same actors who planted disinformation through hijacked Qatar News Agency services last month is also unclear: the threat may be a second-order response by hacktivists or governments who bought the original round of disinformation.

Dave Bittner: [00:05:19:09] Morocco and Kuwait are attempting to mediate the dispute. Qatar's government, with US FBI assistance, has tentatively attributed Qatar News Agency hijackings to Russian actors, but outside observers remain dubious.

Dave Bittner: [00:05:34:19] Looking at our CyberWire event calendar, the SINET Innovation Summit 2017 is coming up June 20th in New York City, and we're pleased to be a media partner for the event. Robert Rodriguez is the Chairman and Founder of SINET.

Robert Rodriguez: [00:05:47:22] Innovation Summit is a little differentiated from the other programs in that we're connecting Wall Street, Silicon Valley, and the Beltway, with an emphasis on the banking and finance institutions. For example, we have at least a dozen CISOs from Fortune 100 banks: Goldman, JP Morgan Chase, Bank of New York Mellon, Citi, Standard Chartered Bank, Mitsubishi Bank, Sallie Mae Bank. So, there's that emphasis because we are in New York City.

Robert Rodriguez: [00:06:19:17] SINET's known as a huge supporter of innovation globally in the cyber security domain. So, the innovators are in the room. And if you think about what's important to small business, especially early stage emerging growth companies, to include large companies, but at the end of the day, after they raise their capital, all they really want to meet are the buyers, from both industry and government. So, for example, CISO or CSO or CIO and somebody that has capital to purchase [UNSURE OF WORD] in value-add solutions.

Robert Rodriguez: [00:06:56:14] So, we really focus on providing an environment for the business of cyber to take place. New York City is a thriving entrepreneurial community. It is an epicenter of banking and finance and many other areas of commerce and business as well.

Robert Rodriguez: [00:07:14:00] Another opportunity for the audience are the innovators and the entrepreneurs. As they listen to the CISOs talk about risk, what's important to them, what kind of needs or requirements they're prioritizing, discussions on ransomware and how that marriage of IoT and ransomware are affecting the future of risk, the topic on malware, third party vendor risk management. So, understanding the strategies and pain points and the way that the CISOs think about this is going to help those entrepreneurs build their strategy and road maps to address those needs.

Robert Rodriguez: [00:07:52:23] The ability for us to have this diverse ecosystem in the room provides value to all those in attendance, whether you're Cisco with ten people or Cisco today with 1000s of people. There's something for somebody at all levels in their life at SINET.

Dave Bittner: [00:08:08:20] That's Robert Rodriguez. The SINET Innovation Summit 2017 takes place June 20th in New York City.

Dave Bittner: [00:08:17:02] Several strands of malware are being newly described. Here's a brief overview of each.

Dave Bittner: [00:08:22:12] Access Now reports a new form of social media hijacking, "DoubleSwitch," which renders its victims effectively unable to regain control of their accounts. Observed principally in Venezuela, DoubleSwitch has been used against critics of the Chavista government. Access Now thinks it's likely to be seen in other repressive regimes as well.

Dave Bittner: [00:08:43:21] Various researchers are reporting a new Trojan, "CertLock," in the wild. Carried by a range of unwanted programs, the Trojan renders those programs more difficult to clean from Windows systems by blocking the certificates of security software.

Dave Bittner: [00:08:58:16] Researchers at AlienVault and Fortinet have obtained and analyzed live samples of MacSpy and MacRansom, two varieties of malware-as-a-service that have been on offer in dark web markets at least since the last weeks of May. As the names suggest, they target Mac systems with, respectively, spyware and ransomware. As Mac market share rises, so does Mac malware's black market share.

Dave Bittner: [00:09:24:15] Sophos reports a ransomware outbreak in Chinese Android systems. The malicious code hides in a bogus copy of the King of Glory game. The ransomware copies WannaCry's user interface, but it's not WannaCry.

Dave Bittner: [00:09:39:12] Microsoft has found exploitation of a vulnerability in Intel chip sets' Active Management Technology in the wild. The Platinum Advanced Persistent Threat group is going after AMT to execute malicious code in targeted machines.

Dave Bittner: [00:09:55:10] In Europe, authorities continue to work to round-up known wolves. One of them, a Syrian expatriate arrested in Germany, is said to be a principal point-of-contact between terrorists and the ISIS news service Amaq.

Dave Bittner: [00:10:09:05] In the US, former FBI Director Robert Mueller is set to serve as Special Counsel for Russia Investigations.

Dave Bittner: [00:10:17:09] Finally, in China, police round up 22 people and charge them with selling data obtained from iOS users. The scam is said to have netted them as much at fifty million yuan, which comes to about seven and a quarter million in Yankee dollars.

Dave Bittner: [00:10:37:14] Time for a message from our sponsor, Recorded Future. You've probably heard of Recorded Future. They're the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to, and read, they cyber daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the cyber daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks.

Dave Bittner: [00:11:19:00] Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:37:18] I'm pleased to be joined once again by David Dufour. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. With the recent attacks by the WannaCry ransomware, one of the subjects that's been popular is people talking about attribution with this particular attack. People want to attribute it to North Korea, but other people have been saying, hold on, not so fast: attribution is difficult.

David Dufour: [00:12:04:00] Thank you for having me again. That is, in fact, true. Just for the listeners, attribution is when we take a look at code or some type of malicious software to try to understand where it's come from. We're looking at the fingerprints and maybe who's touched it so we can make that determination back to the originator - when we're talking about attribution, that's what we're talking about.

David Dufour: [00:12:28:04] It is very difficult to attribute something back to a malicious actor. One thing that occurs quite often in the cybersecurity world is a bad guy, cyber criminal, will create some malicious code, and they'll keep it super secret, and they'll use that to their nefarious means. But once they're discovered, they will blast that code out on message boards everywhere, so everyone has access to that, and at that point it begins to get very difficult to determine where something came from.

Dave Bittner: [00:12:59:20] So, they sort of shoot it out there as a smokescreen so that now everyone has it, it's hard to attribute it to anyone in particular.

David Dufour: [00:13:06:23] That's exactly what they're doing. One, just to be mean, and, two, it's not as valuable anymore, so they're just going to just get it out there so no one can trace it back to them.

Dave Bittner: [00:13:17:08] I've heard people say that attribution really isn't that important; that attribution is the stuff of nation states, but for, you know, those of us trying to keep our systems safe, what difference does it make who it came from? The point is, we've got to keep it out.

David Dufour: [00:13:32:01] I disagree. There's some examples with ransomware where developers took the core encryption code that allowed you to actually encrypt files on a machine. But then if you looked at that encryption algorithm itself, those algorithms were broken, so you couldn't ever decrypt the code, so that's a bad thing. Or the decryption algorithm was such that we could figure out a way to generate a key that would unlock that.

David Dufour: [00:14:05:08] So, attribution is important in some instances where we can actually help people. Not because maybe we're trying to get to the person at the other end to put him in jail, but a lot of times if we can see where something came from and have a good understanding of it and the variance, we might be able to help folks.

Dave Bittner: [00:14:24:23] David Dufour, thanks for joining us.

Dave Bittner: [00:14:29:14] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Thanks once again to all of our supporters on Patreon. To find out how you can contribute to the CyberWire, go to

Dave Bittner: [00:14:55:09] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.