The CyberWire Daily Podcast 7.11.17
Ep 388 | 7.11.17

Russia's phishing for nuclear power plants. NATO offers aid to Ukraine. Election hacking updates. M&A and venture news. Crime, punishment, and cryptocurrency.


Dave Bittner: [00:00:00:16] The CyberWire Podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:06] Russia goes phishing in the North American and European power grid. NATO has had about enough of that. There will be no US-Russian joint cybersecurity effort. The Adwind RAT is back, and seeking to socially engineer its way into aerospace company networks. We've got some election hacking investigation updates. Industry notes, including both venture and M&A news. And BYOD can pose a threat, especially when the device your rogue employees are bringing is an off-the-books server.

Dave Bittner: [00:00:47:07] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies here at the CyberWire, and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and more. Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and it's on the money. That's, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:48:11] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 11th, 2017.

Dave Bittner: [00:01:59:05] More on the cyber attempt on the US energy sector has come to light. It was apparently a phishing campaign, mounted from Russia, and without effect on operational systems. Nonetheless, members of the US Congress are expressing concern and demanding explanations. EnergyWire reports that the campaign has been in progress since May, and that the attackers are "drawing from the Ukraine playbook," that is, the complex attacks used to take down sections of the Ukrainian grid twice since late 2015.

Dave Bittner: [00:02:29:15] Europe is seeing similar probes of its critical infrastructure, and authorities and experts there, too, suspect Russia.

Dave Bittner: [00:02:37:08] Actually getting into power plant operational systems isn't trivial, but it's not impossible either. Observers note that phishing is one obvious attack method, but so are malware-laden USB drives and either malicious or compromised insiders. Those latter two approaches would overcome the airgapping in which so many industrial operations place so much confidence.

Dave Bittner: [00:02:59:15] Robert Hannigan, former head of the UK's GCHQ, told the BBC that, "There is a disproportionate amount of mayhem in cyberspace coming from Russia, from state activity," and that this may be deterred only through retaliation.

Dave Bittner: [00:03:15:18] NATO has announced that it's providing Ukraine with a range of cyber capabilities to aid that country in the hybrid war Russia is waging in the Donbas and elsewhere. In a joint press conference with Ukrainian President Poroshenko, NATO Secretary General Stoltenberg said the Atlantic Alliance was providing Ukraine with the means to investigate the cyberattacks it's sustained.

Dave Bittner: [00:03:37:09] The Alliance has also told Russia that it wants Russian troops out of Ukraine. US sanctions are expected to stay in place as long as the Russian occupation of Crimea continues.

Dave Bittner: [00:03:48:05] The very short-lived glimmer of international cooperation, confidence building and détente that twinkled on Sunday went out in less than 13 hours, as measured in US President Trump's tweets on the possibility of easing tension in cyberspace. There will be no joint US-Russian effort to shore up cybersecurity. President Trump's account of his meeting with President Putin said he pressed the Russian leader on election hacking and, in any case, Congress is unlikely to find itself in the mood for any reset in relations, still less any détente.

Dave Bittner: [00:04:20:07] In the US, various investigations into Russian election hacking and the fallout therefrom continue. President Trump's son will testify before Congress concerning campaign-season contacts from Russian actors who said they had discreditable information on Democratic candidate Clinton, and it appears that former FBI Director Comey's private memoranda of conversations with President Trump may have contained, improperly, classified information.

Dave Bittner: [00:04:47:00] We turn with some relief to more ordinary cybercrime and a mix of industry news.

Dave Bittner: [00:04:52:12] Trend Micro warns that a spam campaign pushing the cross-platform remote access Trojan Adwind is in progress. This time around the RAT is for the most part snuffling around the aerospace industry, with targets in Switzerland, Ukraine, Austria, and the US. Trend Micro notes that social engineering is an important part of its approach.

Dave Bittner: [00:05:13:11] Several significant bits of industry news are breaking. DarkTrace has raised $75 million for a just-shy-of-unicorn valuation of $825 million. DarkTrace has shown considerable ability to penetrate the lucrative US market, and it also announced early today that it had concluded a strategic partnership with managed security services provider CITIC Telecom CPC to gain traction in Asia and the Pacific.

Dave Bittner: [00:05:41:18] RiskLens has secured $5 million in Series A funding. The equity investment was led by Osage Venture Partners, with participation by Paladin Capital, Dell Technologies Capital,and Kick-Start.

Dave Bittner: [00:05:54:16] HyTrust has also raised money - some $36 million in Series E funding from Advance Venture Partners - and has acquired DataGravity for its data security solutions capability.

Dave Bittner: [00:06:07:04] Symantec has bought Skycure as a mobile security play. Along with last week's acquisition of Fireglass (a browser isolation shop) the Skycure acquisition is expected to enhance Symantec's position in the endpoint protection markets.

Dave Bittner: [00:06:22:14] Finally, StarHub has announced that it will fully acquire cybersecurity firm Accel for 26 million Singapore dollars. The Singapore telco already owned 51% of Accel; now it will have the whole shebang.

Dave Bittner: [00:06:36:06] Returning from commerce to crime and punishment, the former head of Bitcoin exchange Mt. Gox is about to go to trial on charges of embezzlement. Cryptocurrency traders and users hope the trial will have a clearing, salutary effect on the market.

Dave Bittner: [00:06:52:09] But cryptocurrencies are affording opportunities for crime elsewhere. The South Korean exchange Bithumb, whose hacking we've been following, didn't suffer embezzlement, but it did sustain a breach of customer information apparently traceable to BYOD gone bad. An employee's computer appears to have been compromised, which then opened the door to compromise.

Dave Bittner: [00:07:14:17] And in Italy, according to DarkTrace, a bank's servers were used in a Bitcoin mining scheme. This one involved BYOD with a vengeance - BYOS, bring your own servers - as employees took advantage of electrical power and cooling systems in data centers to install their own off-the-books servers dedicated to coin mining.

Dave Bittner: [00:07:40:03] I'd like to take a moment to tell you about an important upcoming webinar from our sponsor, ThreatConnect, called Exploiting the Adversary: How to Be Proactive with Threat Intelligence. You know that understanding your adversary is essential to effective cybersecurity. To block threat actors now and in the future, you must know where they've been before, their techniques, tactics and procedures. You also need to know if they're targeting your specific organization. A deep understanding of your adversary enables you to take steps to proactively protect your environment from breaches, and this will be the focus of this webinar, Solutions Architect at CrowdStrike, to talk about proactive threat intelligence strategies, and how best to leverage threat intelligence in your own research.

Dave Bittner: [00:08:14:16] It's all happening this Wednesday, July 12th, at 2pm Eastern Time. Join Kyle Ehmke, Threat Intelligence Researcher at ThreatConnect and Araceli Gomes, Solutions Architect at CrowdStrike, to talk about proactive threat intelligence strategies, and how best to leverage threat intelligence in your own research. Sign up today at, and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:08:47:18] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, welcome back. We've had a lot of news about botnets, and that's something that you all have to deal with when they occur. Let's talk about botnets. Where do you see things headed, as we look towards the horizon?

Dale Drew: [00:09:08:11] We're seeing a sort of evolution of botnets. Not only are they becoming much more commoditized, and not only are they able to make much more money for the actual bad guys themselves, and the bad guys have really been able to rent botnets out to consumers at a much faster rate, and faster scale, but we're seeing technology inside the botnet, evolving to really avoid detection. We're seeing three things from a botnet evolution perspective. Bad guys are taking different components of botnet technology that's been released in the wild, and plugging that stuff in together. WannaCry is a great example of people taking different pieces, parts and components of different botnets. One is an IP address scanning algorithm and one is a disk encryption algorithm, and one is a drop deployment and infection algorithm, and they put all that stuff together and then create something new as a result, using old piece parts.

Dale Drew: [00:10:14:07] We're also seeing some of the core botnet developers getting more sophisticated. Two trends that really worry us are the use of peer-to-peer and the use of Tor. WannaCry, again, is a good example of Tor, where the bad guys' communication with the commander control infrastructure was over the Tor network. Anyone watching the Internet network, the backbone infrastructure, lost that visibility, because all you saw was traffic going into a Tor entry node and out of a Tor exit node. There's a lot of mechanisms to be able to track that activity, but the security community really needs to orient its attention in the Tor space.

Dale Drew: [00:10:56:01] The other one is peer-to-peer, and peer-to-peer is scary because every node becomes a botnet node, and every node becomes a commander control system. You can no longer just cut off the head of a piece of infrastructure anymore, you now have to shutdown the entire infrastructure, before you have any effect on that botnet's effectiveness.

Dave Bittner: [00:11:15:18] Is there any sense that there's a growing sophistication in the types of devices that the botnet wranglers are bringing into the botnets?

Dale Drew: [00:11:23:22] I'd say, with the bad guys and especially the organized crime and the nation state bad guys, what they're really interested in is two things. They're interested in scale. They're focusing attention on two primary things. One is protocols that have a deep entrenchment in the Internet, anything that they can find. SMB and DNS are great examples of any protocol that has a rich history, and a deep entrenchment capability, inside the internet. They want to take advantage of those protocols, because of the massive amount of scale they instantly have access to, and the level of difficulty to repair those sorts of protocols that have such a long life.

Dale Drew: [00:12:06:21] The other one is devices from a scale perspective. So, the reason why Internet of Things is so popular is, one exposure is essentially the same exposure for every single same class of device of that IoT device. And so, if they can find a single exposure that doesn't have the nuance of being slightly patched over here, or have an anti-virus control over there, or an intrusion detection capability over there, if they know that same exposure will uniformly work across a large scale of devices, those are the sorts of devices they're going after.

Dave Bittner: [00:12:39:19] Dale Drew, thanks for joining us.

Dave Bittner: [00:12:46:02] Now I'd like to tell you about some research from our sponsor, Delta Risk. We all depend on the power grid. You've heard a lot over the last few months about the grid's vulnerability. CrashOverride, in particular, threw a scare into the energy distribution sector. It's a real threat, and its masters demonstrated what they can do last December, in Ukraine. Even a minor distribution to the power grid could be devastating to all of us. Download Delta Risk's new White Paper, Cyber Security and the Grid: The Definitive Guide, for insight into how the North American power grid works, an overview of current regulations, and a look at potential cyber threats. You'll find the guide at Delta Risk LLC, a Chertoff Group company, is a global provider of strategic advice, cybersecurity and risk management services to commercial and government clients. Learn more about Delta Risk by visiting, and while you're there get that guide to cybersecurity for the grid. It's, and we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:14:03:03] Anyone who does any amount of browsing online is quick to notice that advertisers are tracking you, popping up ads for products you may have been browsing, or even just searching for online. Lance Cottrell is Chief Scientist at Ntrepid, and he joins us to offer some insights on online ads and the technology behind them.

Lance Cottrell: [00:14:22:12] Advertising has really started to turn up everywhere and get very aggressive about the kinds and amount of information they're keeping track of. Just because you visit some particular website doesn't mean you want information about that forever. If I happen to be going to a site looking up hemorrhoids or something embarrassing, and then I'm later using a web browser with someone looking over my shoulder, and all the brand ads along the side of the browsers, that's awkward and weird. It's annoying.

Dave Bittner: [00:14:57:11] There seems to be this ongoing developing arms race between the browsers and the people who make plug-ins for browsers. We've just had an announcement from Apple at their developer event, that they're enhancing their Safari browser with something they're calling Intelligence Tracking Prevention.

Lance Cottrell: [00:15:17:03] What they're trying to do is reduce the ability for third parties to be tracking you as you move around the internet. First parties are the people you're actually connecting to, so, if you go to a website they often need cookies, to make the website work, and they may, in fact, be using tools from second parties. So, if they're using Google analytics to track their own website, or if they've got other things to manage, like a fraud on their website, those are second parties. Third parties are the advertisers that are going through networks onto your websites that you're visiting, and that's where the concern comes up, because now it's not just someone tracking your activities on that one website, but it's about the ability to track you across the entire internet, every page you go to. Realistically these days, we'll have a Google ad tracker built into it, and that's how they get this ubiquitous view.

Lance Cottrell: [00:16:12:11] For a long time browsers have had the ability to block third party cookies. In fact most of them, by default now, don't allow someone who's not directly involved in your interaction with the website to set these kinds of trackers, and very quickly, the advertisers adapted, so they now have tools to get around that and track you anyway. Apple is sort of taking the next step in that arms race, to try to stop that kind of circumvention. They're building smart tools to try to recognize when that's going to happen, and shut that down again. But this is a very active arms race and, while consumers are somewhat interested in stopping this, and express it often but don't do much about it, the advertisers are hugely motivated to do this kind of tracking. So I suspect that any gains that Apple creates with tools like this will be quickly undone by the advertising, marketing and tracking companies that are so motivated to maintain that ability.

Dave Bittner: [00:17:14:00] You make the point that this might give people a false sense of security.

Lance Cottrell: [00:17:17:18] Exactly. Like incognito mode in the browser, people turn on something like this and think, "Oh, okay, now I'm not being tracked." But the things that these browsers address is only a small fraction of the kinds of tracking that take place. So they can prevent, say, cookies from being implanted on your browsers but, at the same time, your computer's address, your IP address, will often uniquely identify you, or at least your household or your business, on the internet. And, in fact, almost every browser has a unique fingerprint. The combination of all the plug-ins, all the fonts, all the character sets, all the preferences, the size of the monitor, all of that goes together. You think that's not that much but, actually, combined it makes you unique, the only visitor to most websites you visit with that exact fingerprint. That allows these people to reapply the cookies to you, re-track you and, of course, that's advertisers, that's corporations, but that's also governments, hackers, someone who wants to attack you. Anyone can use these tools, and do.

Dave Bittner: [00:18:22:07] And so what's to be done? If I want to have a reasonable amount of privacy, what are some of the steps I can take to do that?

Lance Cottrell: [00:18:29:03] The first step is being very judicious about what you share. When you're using these social media platforms, I think we need to go in with the "there is no privacy on these platforms" kind of attitude. You can set which of your friends see things, but we just have to assume that everything we do is on a postcard, and take care with not sharing it in the first place. My general axiom is that data is a toxic asset. If it exists it's a problem, and it will get out, it will leak. You just have to assume, at some point your ISP is going to get hacked, or your email will get exposed, or your computer will get compromised, and you'll get doxed.

Lance Cottrell: [00:19:06:17] If embarrassing stuff exists, there's always a chance that it can get out there. So the first key is, just be very judicious about what you create, and making sure that you keep as little as you need to, for as short a time as you need to. Then, if you want to do something that requires [INAUDIBLE] that is an issue, make sure that you use tools. There are specific anonymity tools; we build a tool called Anonymizer. There's things like Tor that are out there, that you can use. Use those, with care, for just that purpose, and then clean it out and go back to your normal activities. It's not easy to combine both.

Dave Bittner: [00:19:45:22] That's Lance Cottrell from Ntrepid.

Dave Bittner: [00:19:52:08] That's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:20:04:24] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jen Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.