The CyberWire Daily Podcast 7.3.17
Ep 383 | 7.3.17

Recovery and attribution: Petya/Nyetya/NotPetya. Cyber conflict and collective defense. Online inspiration and online censorship. The EU's regulatory big stick. Vishing Parliament.


Dave Bittner: [00:00:00:00] I want to thank our latest Patreon supporters. If you haven't checked it out yet, please do so. It's at Thanks.

Dave Bittner: [00:00:12:06] Recovery from Petya/Nyetya/NotPetya proceeds and it's not ransomware. Ukraine says Russia's responsible. US warnings of cyberattacks on nuclear power plants may have been premature. NATO members consider when to invoke Article 5 in cyberspace. Islamist inspiration and other political discontents prompt content screening in Europe. Europe is also in a punitive mood with respect to regulation. Kaspersky says it will show the US its source code if that's the cost of doing business. And hey Lords and Commons, that's not really Windows support asking for your password.

Dave Bittner: [00:00:52:10] Time for a message from our sponsor Recorded Future. You've probably heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web: Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP address and much more. Subscribe today and stay ahead of the cyberattacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:56:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, July 3rd, 2017.

Dave Bittner: [00:02:05:20] Last week's Petya/Nyetya/NotPetya campaign is now clearly seen as destructive and disruptive, and not a ransomware attack at all. We're just going to refer to it as Petya in today's podcast, just for the sake of time. Affected organizations continue their recovery. The experience of Maersk is instructive. Last Thursday the shipping company told customers its operations had resumed at a "now close to normal" rate, although some clients reported continuing difficulties.

Dave Bittner: [00:02:35:22] FedEx's TNT Express subsidiary was also heavily affected, with disruptions reported into the weekend.

Dave Bittner: [00:02:43:14] There's been no shortage of advice on how enterprises might respond to Petya. They range from the simple for-heaven's-sake-patch-already to you-should've-used-blockchain and all the way to retaliation by drone strike.

Dave Bittner: [00:02:56:08] Ukrainian authorities have directly and unambiguously blamed Russia for last week's Petya attacks. They've also called in international partners, including Interpol and the FBI, to help with the investigation. The threat actor held to be responsible is the group known as Telebots or Sandworm, a Russian actor also associated with attacks on Ukraine's power grid in December 2016.

Dave Bittner: [00:03:20:00] Russian authorities for their part deny having anything to do with it, but their story finds few takers. It's true that some Russian enterprises, notably the oil company Rosneft, were also infected. It's also true that Russian Presidential spokesman Dmitri Peskov called late last week for the international cooperation against cybercrime of this type. Whether one sees infestations at Rosneft and Mr. Peskov's desire for cooperation as exculpatory evidence, or as provocation and misdirection, will depend on how historically informed one's interpretations of official Russian motives are.

Dave Bittner: [00:03:56:16] Three observations are perhaps in order. First, as much as Petya was called "ransomware," the number of informed observers who think it was a campaign of ordinary criminal extortion is vanishingly small. Thus an expressed desire to bring the criminals to justice is either naïve or disingenuous. Second, Rosneft itself obliquely hinted that there's maybe, just maybe, a domestic source of the attack it suffered. The oil company said it hoped the attack had nothing to do with ongoing legal battles with its oligarch-owned rival Sistema. And third, the incident seems too closely aligned with Russian objectives in the hybrid war against Ukraine to be a mere coincidental criminal operation.

Dave Bittner: [00:04:39:15] US Government warnings last Friday of phishing campaigns successfully targeting nuclear power installations may have been premature. In any case, the Nuclear Energy Institute said Saturday that no US nuclear plants had been penetrated.

Dave Bittner: [00:04:54:00] We mentioned "drone strikes" as a possible retaliation for Petya - that's surely headline-writers' exaggeration. No one has seriously suggested droning some GRU coder for whatever it is that Sandworm may or may not be up to. But as cyberattacks increasingly have physical effects, kinetic retaliation is more often considered. British officials are the latest to entertain such speculation and NATO members are devoting some hard thought to the circumstances under which the Alliance's Article 5, collective defense, might be invoked in the case of cyberattack.

Dave Bittner: [00:05:29:17] Islamist groups continue to post inspirational material online. An affiliate of Al Qaeda in Mali has posted disturbing video of long-term hostages it's kidnapped. And a group of foreign fighters in Syria has appeared in a pro-ISIS expose of all that's wrong with the dar-al-harb: sensuality, lack of compassion, indifference to the plight of the elderly, and so on. These points are, to be sure, in tension with or outright contradiction to the murderous practices ISIS and similar groups have sought with unfortunate success to inspire. But for a window into the story they're telling and the values they're offering, this video offers some useful and sobering insight.

Dave Bittner: [00:06:12:14] The European Union and some of its member states signal a determination to police data security, competitive practices and extremist speech. Germany has enacted a law that would impose harsh penalties on services that permit hate speech. A look to existing measures to identify such speech suggest the problem remains unsolved. Facebook's guidelines for human curation of content carried over the social media provider, shows the difficulty of applying such measures in ways that either can't be easily circumvented, that yield counterintuitive results, or that simply amount to censorship.

Dave Bittner: [00:06:48:01] Those optimists inclined to see carrots may wish to consider that the sort of stick GDPR might wield against non-compliant companies was foreshadowed last week in a different case entirely. Last week the European Union hit Google with a record fine for anti-competitive behavior - a cool $2.7 billion for goosing search results in its own favor. Google will appeal, but Mountain View isn't optimistic. Google has said it expects to pay in full. It may get worse - the EU's Commissioner for Competition followed up the regulatory finding by encouraging companies whose business may have been damaged by anti-competitive practices to use her report as the basis for civil suits against Google.

Dave Bittner: [00:07:32:10] Kaspersky Lab will show its source code to the US Government, a development that hasn't been universally welcomed in the security industry. Kaspersky was facing a possible Congressional ban on doing business with the US Defense sector. Russia mulls retaliation if Kaspersky is barred from such work in the US.

Dave Bittner: [00:07:51:12] Finally, a quick update on those assaults on the British Parliament's email system. Over a week ago Whitehall was subjected to a brute-force campaign designed to expose Parliamentary passwords. Late last week MPs were warned again - they'd been receiving phone calls from "Windows," contacting them on behalf of the "Parliamentary Digital Service." As you might expect, they were calling to help with problems and would the MPs kindly tell them their passwords, the better to enable them to address the problem and so on. The actual Parliamentary Digital Service was quick to say that "we will never ask you for your password." Indeed, no one with your best interests at heart is likely to ask you for your password. And no, that isn't "Windows" calling - the boiler-room background noise alone is a dead giveaway.

Dave Bittner: [00:08:45:09] Now I'd like to tell you about some research from our sponsor Delta Risk. We all depend on the power grid - you've heard a lot over the last few months about the grid's vulnerability. Crash Override, in particular, through a scare into the energy distribution sector. It's a real threat and its masters demonstrated what they can do last December in Ukraine. Even a minor disruption to the power grid could be devastating to all of us. Download Delta Risk's new white paper: "Cybersecurity and the grid, the definitive guide," for insight into how the North American power grid works, an overview of current regulations and a look at potential cyber threats. You'll find the guide at

Dave Bittner: [00:09:26:07] Delta Risk LLC a Chertoff Group company, is a global provider of strategic advice, cyber security and risk management services to commercial and government clients. Learn more about Delta Risk by visiting and while you're there get that guide to cybersecurity for the grid. It's We thank Delta Risk for sponsoring our show.

Dave Bittner: [00:09:57:00] Joining me once again is Markus Rauschecker. He's the Cybersecurity Program Manager at the University of Maryland Center for Help and Homeland Security. Markus great to have you back. We saw a story come by via Reuters and the headline was: "Companies use kidnap insurance to guard against ransomware attacks." That's news to me. What's going on here?

Markus Rauschecker: [00:10:15:15] This is somewhat of an interesting and new approach here that some companies are taking. As you may know companies that do business in dangerous parts of the world may often have these kidnap and ransom insurances, so that in the event that one of their employees gets kidnapped and held for ransom, the insurance would kick in and actually pay the ransom to release their employee. Now some companies are taking that kind of insurance and trying to apply to cyber incidents, specifically ransomware incidents. So a company will become a victim of a ransomware attack, where their data is held ransom, and the company has to pay to get that data back. That can be very costly. So a lot of companies who have this kidnap and ransom insurance are trying to use that insurance policy to cover their cost for or responding to the ransomware cyberattack.

Dave Bittner: [00:11:11:15] It was interesting in this story, they quoted a gentleman name Bob Pirisi who works for Marsh & McLennan Companies, an insurance broker. He said, "If your CFO gets kidnapped the company is going to continue to function. If you get a piece of malware on the system you might have two factories that stop working. The actual damage is probably greater." That may be true, unless you're the CFO!

Markus Rauschecker: [00:11:33:12] You certainly wouldn't want to be the CFO, in that situation. But it is certainly the case that for a lot of companies the data that they have, and that they use to connect business, is absolutely critical. Without that data they can't do business. It's vital that, if they are victim to a ransomware attack, that they get access to that data again as quickly as possible. It's interesting that companies are trying to use this kidnap and ransom insurance and are trying to apply to it ransomware incidents when that clearly was never the intent of this kind of insurance policy. It was always intended to apply it to the individuals who might get kidnapped but not to cyber incidents.

Markus Rauschecker: [00:12:16:21] So I think it's kind of a novel way of trying to get coverage, but I think what companies really should be doing, and what they really should consider, is getting actual cybersecurity insurance - a cyber insurance policy that will actually apply in case of ransomware as well because I think, in the end, the company will be much better off having that kind of an insurance policy and that will specifically apply to a cybersecurity incidence and incidents of ransomware where they know they'll be covered and can recoup on some of those costs that are associated with the incident.

Dave Bittner: [00:12:51:07] I thought it interesting that the article ends talking about AIG, the insurance company, saying that they've reduced business interruption coverage for kidnapping and ransom policies to a million dollars for cyber extortion events and the quote is "insurers didn't anticipate there would be this much ransomware activity."

Markus Rauschecker: [00:13:08:19] Yes, unfortunately that is the case - ransomware is a growing threat. It's only going to continue to grow and hopefully companies are realizing that and doing everything that they should be doing to protect themselves on the data.

Dave Bittner: [00:13:23:14] Markus Rauschecker thanks for joining us.

Dave Bittner: [00:13:28:15] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence visit Thanks once again to all of our supporters on Patreon and to find out how you can contribute to The CyberWire go to

Dave Bittner: [00:13:53:22] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.