The CyberWire Daily Podcast 6.14.17
Ep 370 | 6.14.17

Patch news. Terrorist funding goes cyber. Cozy and Fancy Bear were more active than earlier believed. A CrashOverride update.


Dave Bittner: [00:00:01:04] Despite rumors to the contrary, there is not actually a Patreon level at which I will come to your house and read the daily news briefing to you in person. But don't let that stop you. Go to and find out how you can contribute to our show.

Dave Bittner: [00:00:18:16] Yesterday was Patch Tuesday and some of the fixes even reached back into Windows XP's unquiet grave. Terrorist information operations are increasingly sustained by cryptocurrency funding. Russian intelligence may have been more active probing US state election systems than previously thought. Fake-news-as-a-service is now a black-market offering. And CrashOverride is a real threat to the grid. This is not a drill.

Dave Bittner: [00:00:47:18] Now I'd like to tell you about some research from our sponsor Cylance. Ever hear of 40-second Boyd? He's the legendary fighter pilot who gave the world the concept of the OODA loop in his famous discourse on winning and losing. The PowerPoint presentation that's to conflict theory what Kant's critique of pure reason is to epistemology. Our sponsor Cylance is all about winning but they're also about getting inside the operations OODA loop. If you could observe, orient, decide and act faster than the opposition, well, game over. Cylance's artificial intelligence can give you the temporal predictive advantage you need to get inside and stay inside the cyber attackers' OODA loop. Go to and check out their blog post on how to stop tomorrow's threat today. That's See what they can do to put you on the opposition's six. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:50:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 14th, 2017.

Dave Bittner: [00:01:59:20] We've got a slightly unusual edition of the CyberWire for you today. We're going to do a quick rundown of some news but we're going to spend the main part of the show with Robert M Lee, founder and CEO of Dragos, the security company whose recently-published report has been at the center of the CrashOverride power grid malware. First, the news.

Dave Bittner: [00:02:20:01] Microsoft issued 96 patches yesterday and, in an unusual move, reached back to fix WannaCry-related issues in the beyond-end-of-life Windows XP. Also unusual is Redmond's warning to expect exploitation by state-sponsored threat actors. Yesterday Adobe also pushed out fixes for its much updated, much patched Shockwave and Flash products.

Dave Bittner: [00:02:45:11] Information operations continue to figure prominently in terrorist groups' use of the Internet, which is why disruptive cyberattacks by states belonging to the civilized world have had such difficulty countering them. Another trend in terrorists' use of cyberspace is emerging in financing. Cryptocurrencies are beginning to assume a more important role in bankrolling their operations.

Dave Bittner: [00:03:08:17] Bloomberg reports that Russian probes of US electoral processes seem to have been more extensive than feared. Cozy and Fancy Bear between them may have prospected systems in as many as 39 states, and they're expected to be back. The probes seemed to involve reconnaissance, but also attempts at voter registration data manipulation.

Dave Bittner: [00:03:29:24] With respect to influence operations, Trend Micro is warning that fake-news-as-a-service is now available in online black markets. It's pricey, but payoff could be high. One service available for $400,000 offers election manipulation. How effective such services may be is so far anyone's guess.

Dave Bittner: [00:03:51:11] The CrashOverride threat to electrical grids may be greater than at first thought. The story is developing rapidly. Robert M Lee of Dragos, which did the heavy analytical lifting, joins us for the details.

Robert M Lee: [00:04:04:04] In 2015, on December 23rd in Ukraine, there was the first ever cyber attack that actually brought down portions of the grid and disrupted electric operations. And myself and members of my team got to be involved in the investigation, analyze it out and the big discovery there was that while malware helped facilitate access, this malware known as BlackEnergy 3, the malware didn't cause the outage. It was the human adversaries learning and interacting with the grid operation systems.

Robert M Lee: [00:04:36:18] In 2016, it happened again, where Ukraine came under attack and this time at Kiev and a substation there, there was another outage due to a cyber attack. But this time, we weren't involved in investigation. It was more of a close help matter, since it was a transmission-level substation which is much bigger impact. And, and we didn't know anything about it, so nothing's really been public up to now. Some, some discussions have, but nothing really about what caused the outage.

Robert M Lee: [00:05:04:14] So it turns out this anti-virus firm in, in Slovakia called ESET actually had a sample of the malware, which we've now known and called CrashOverride. And they were analyzing this malware, but for whatever reason, I don't know if it was sensitivities or just, you know, I have no idea about their motivations or intent, but they didn't notify anybody about it and didn't release any information. And we got a call on June 8th from reporters saying, "Hey, ESET's getting ready to go live with this analysis and we're having a bunch of stories published on June 12th. And we would like to know if you could confirm this."

Robert M Lee: [00:05:42:18] And so ESET reached out and passed us some of their analysis. When we got it on June 8th, we immediately noticed the potential impact here. There's only ever been three other ICS or industrial control system tailored pieces of malware before, so this was very significant. And, obviously, the impact, ability to be able to take down any portion of a grid is, is very alarming. So, from June 8th to June 12th when we came public, we tracked down samples of the malware, did all the analysis, reverse-engineered their analysis to be able to validate it, found additional contexts that had been missing, some additional samples.

Robert M Lee: [00:06:19:19] We were able to link it to the Electrum Group that we track internally at Dragos and which has direct ties to the Sandworm team that attacked the grid in 2015. And we also found out that none of the industry partners had been notified yet, so in that time as well we reached out to all the different US government agencies, various national-level CERTs around the world and industry sector partners as well, of course, as our customers with all the information available and tried to make sure that they were ready before this went public on Monday, on June 12th.

Robert M Lee: [00:06:49:10] So it was a 96 hour kind of surge to make sure that we could get the appropriate message out because the impact is real and the threat is significant but it's not apocalyptic. It's not the grid is going to cascade, it's not, you know, some doomsday scenario but it, but it has the potential, it has the real potential for hours or a day or two of outages at sites that it targets and it's scalable across any number of energy sites. So very alarming but, but not doom and gloom.

Dave Bittner: [00:07:16:01] Yeah. Take us through that. I mean, you generally tend to have a measured response to these sorts of things. You're often a voice of reason when it comes to, you know, ICS potential vulnerabilities. How serious is this? How do we calibrate?

Robert M Lee: [00:07:29:13] Yeah. So, I think it's extremely serious but, again, not doom and gloom. But I say extremely serious because the industry, time and time again, whether its government or private sector, has, has trained their mindset into vulnerabilities and exploits. Like, how bad is a vulnerability, how bad is an exploit, and patch it, fix it, prevent it. And the whole thing here is what makes this CrashOverride malware unique and very interesting is that it doesn't rely on any specific vendor, doesn't rely on any vulnerabilities. It's just the codification of grid operations knowledge. So, it's leveraging completely normal functionality that operators need to have inside of the electric grid to then be able to send the wrong commands and disrupt the electric grid.

Robert M Lee: [00:08:16:02] Now, the nuance, of course, is that our electric grid operators, the government and private sector working together over years, have done an amazing job at making our grid very reliable. They're used to going back to many operations and getting electricity running for storms and events like that. So, even though that hasn't been tailored for security, necessarily, even though they do train for it, that still has a very big impact of security as a byproduct. So, what we're looking at is a platform that is able to be scaled across different sites that the adversary targets.

Robert M Lee: [00:08:47:17] It doesn't spread randomly. The adversary still has to target these individual sites, but it would work in-- right now, without any modification, in all of Europe, most of the Middle East, and most of Asia. And with very small modification, it will work in the North American power grid. So, everyone's taking it very seriously because it's a, it's a mindset change, it's an evolution in tradecraft for the adversary, and it's concerning. But it's not cascading grid failure, it's not all the sites across America going down, it's not months and weeks of outages. It's hours, maybe a day or two, of specifically targeted sites that the adversary chooses.

Dave Bittner: [00:09:20:01] Take me through where you all are in terms of attribution.

Robert M Lee: [00:09:23:20] My firm doesn't get into the game of attribution. I actually don't think it has any value for network defenders. It doesn't matter who the adversary is, it matters what the capability is and how to protect yourself against it. Obviously, national security folks are very interested in attribution because it does matter for them. My view is we've been able to confirm with high confidence that the Electrum group that did this attack has direct ties to the Sandworm team.

Robert M Lee: [00:09:49:10] So FireEye has tracked the Sandworm team for a while and their folks and John Hultquist over there came out and, and confirmed that the Sandworm team is Russian-based actors working closely with government. I'm not in a position to refute or confirm their assessment. I just know that the cr-- the group we tracked is Electrum. It has direct ties with that group and they've attributed that group to the Russian government.

Dave Bittner: [00:10:13:02] So where do we go from here? This has been a busy few days, obviously, for you. What are your recommendations going forward?

Robert M Lee: [00:10:19:06] Yeah, well, I'm hoping that we'll have more. I mean, this should have been analyzed over a month or two, not 96 hours. But hopefully we'll have more to learn and pass on to our folks. But there's really three big takeaways, I think.

Robert M Lee: [00:10:31:13] Number one, industrial control sites, not only the electric power grid but other sites as well, but especially grid operators, need to have the mindset that, again, it's not about the vulnerability, it's about somebody using your systems against you. And they need to specifically ready the visibility into those environments to look for that, to detect it and, and to understand what they're going to do in response. But the real big mindset changes, it's not about the tool. It's not about the security appliance. You know, that may help you, but you're dealing with human adversaries and you need human defenders inside that loop to make sure that you're defending appropriately. So, that's the first thing.

Robert M Lee: [00:11:09:13] The second thing is the government and its government agencies have done this very, very well this time, I've been extremely impressed, but they really need to capture that nuance and continue beating the drum. This is a serious threat and significant, but not catastrophic. If they really want the industry to respond as they have been right now, the balance and nuance has to be there. We want-- it's the position that it's a serious enough threat to take it appropriately but also recognize the amazing work that the community has been doing over the years.

Robert M Lee: [00:11:37:03] And if they capture that nuance, both communities will respond correctly, and so far that's been done, which is, honestly, amazing.

Robert M Lee: [00:11:44:19] And the third thing that has to be done, after the first attack, Mike Assante, Tim Conway and I, a couple of others that investigated it came out and specifically said that one of the things that bother us the most was that no senior government official in, in the US had admonished the attack in 2015. We said, look, you don't have to do attribution. You don't have to make broad claims of what you're going to do. But the United States government, from senior level, needs to say that attacks on civilian infrastructure are inappropriate and that our hearts and minds are with those folks in Ukraine and that this is unacceptable. You have to make a statement.

Robert M Lee: [00:12:20:19] And so we went around different conferences and so forth and different political circles in DC through, you know, June to August time frame and made that position that this was ridiculous that no one had said anything. And one of the statements we had said at the time was, "You are, you're emboldening the attackers. You're just showing them that they can use Ukraine as a battlefield to test out their capabilities and it's going to come home to roost in our environments within a couple of years." Like, this is their training opportunity and we need to stop this.

Robert M Lee: [00:12:47:18] And, obviously, in December of 2016, it happened again. So, we can't let this opportunity go again. Now that we have the details, now we understand. The Trump Administration and senior level government officials need to come out and strongly make the statement that the United States government as allies do not really have any willingness to let these type of events go unnoticed. And that while we may not do big sanctions or attribution or anything like that, that whoever is responsible know that this is an unacceptable attack on civilian infrastructure.

Dave Bittner: [00:13:19:19] That's Robert M Lee from Dragos. You can read the full report on CrashOverride on their website.

Dave Bittner: [00:13:30:08] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:14:22:01] And I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response leader at Accenture. Justin, welcome back. You know, we talk about response automation and orchestration and these are hot topics right now. Bring us up to date. What do we need to know about this?

Justin Harvey: [00:14:36:23] Sure. Well, incident response and security operations automation and orchestration, it's not really a new topic these days. But there have been some advances in the technology. If you want to go back several years and look at the way that a security operation center or a fusion center or cyber defense center was architected, it was really architected like a pyramid. The base of the pyramid is-- it's filled with your junior level one analysts that are looking at events. They're, they're interpreting the data. If they need additional information or they have questions, they essentially escalate it up to level two, and there's less-- there are fewer level twos than you have at level ones and so on, until it gets up to the incident response or threat hunt team.

Justin Harvey: [00:15:21:15] That model of building a heavy people-centric security operation center has proven to be unsustainable within the greater information security industry globally. There are simply not enough people or analysts to fill those seats. So the industry has naturally pivoted to ways to address that. And you can address a shortcoming in an analyst in one of two ways. The first would be through managed services. And, yes, we are seeing a dramatic increase and uptick in organizations that want to outsource part of their security monitoring. So, that's one way to do it.

Justin Harvey: [00:16:04:01] And the other way to do it is to utilize things like automation. And automation enables you to take your rote tasks that your level ones are already doing. They see event comes in, they classify, they categorize it, they do a little bit of analysis and then they kick it up to the next level of the security operations pyramid. Well, what automation is doing is it's taking all of those tasks and essentially creating an enriched alert or a contextual alert through collecting system information and with a little bit of logic and then sending it out to the next level for analysis. So it's essentially creating a heads-up display for higher-level resources.

Dave Bittner: [00:16:47:04] And how about orchestration?

Justin Harvey: [00:16:49:03] When you have a predictable alert or an event that you already know that a human is going to take some action on, take for instance a malware denotation. When a sandbox detonates the malware, it already knows where that attachment or where that malicious document or object went to on an endpoint. An orchestration is taking over for what a human would already be assigned to do, go down to that endpoint, pull the flight recorder, determine if the user executed it, if they did execute it, then you want to contain or remediate that threat on the end point. So, orchestration, paired with automation, is becoming more and more powerful, and both of these types of technologies are just addressing a simple fact that there's not enough people in the industry to respond to these incoming threats to organizations.

Justin Harvey: [00:17:44:15] Orchestration can also be brought to bear in helping your existing humans or your existing analysts that are triaging events, essentially guiding them through their work flow. One term I use is guided workflow. So, if you know an event, a particular type of event is coming in, and you know that you can't automate some look-ups or automate a lot of that, at least help the human walk through their decision-making process in order to reach a conclusion and take action to contain that or, or classify that alert as a false positive.

Dave Bittner: [00:18:21:16] All right, Justin Harvey, thanks for joining us.

Dave Bittner: [00:18:26:07] And that's the CyberWire. We hope you'll forgive us for running a little long today but we thought it was news worth sharing. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:18:43:15] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.