The CyberWire Daily Podcast 7.31.17
Ep 402 | 7.31.17

Investigation into ShadowBrokers focuses on former insiders. Threat analyst doxed. Trickbot and NotPetya updates. Sweden's big breach. DPRK hacks online gaming for revenue.


Dave Bittner: [00:00:01:01] If you go to you can find out how to become a contributor and at the $10 per month level you gain access to the ad free version of our show. It's the same CyberWire just without the ads.

Dave Bittner: [00:00:21:05] US investigators are looking for a disgruntled former insider in the ShadowBrokers case. Operation #HackTheAnalyst claims to have doxed a threat intelligence analyst. Electrical utilities look to their defenses. Trickbot gets wormy. NotPetya continues to have material effect on its corporate victims' earnings. Sweden's government is shaken by its data breach. ISIS loses brick and water presence but may be moving online. Ransomware's lethality to small businesses may be exaggerated. And how do you fund a nuclear program? From Pyongyang, Texas Hold 'Em looks like a good bet.

Dave Bittner: [00:01:00:11] And for some notes from our sponsor Cylance. We've been following WannaCry, Petya/NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance Protect stops both file and fileless malware. It runs silently in the background and, best of all, it doesn't suffer from the blind spots in legacy defenses, that NotPetya exploited to such devastating effect. If you don't have Cylance Protect and you'd like to learn more about how it can defend your enterprise, head on over to and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. We thank Cylance for sponsoring our show.

Dave Bittner: [00:02:02:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, July 31st, 2017.

Dave Bittner: [00:02:13:08] Speculation about the ShadowBrokers increasingly turns toward the possibility that their source is a disgruntled alumnus or alumna of NSA. CyberScoop says it's been talking with "multiple people familiar with the matter" who say the investigation is focusing on former employees who had access and an axe to grind. Two of their unnamed sources tell them, the publication says, that the incident goes far beyond the Hal Martin case, in which a contract worker at NSA allegedly removed a very large quantity of highly classified information.

Dave Bittner: [00:02:45:20] An insider seems in many ways likely to be involved. The possibility that the stolen information the Brokers have been hawking came from an NSA attack server, left inadvertently exposed, was entertained soon after the hacking group began dumping material last summer. That has come to strike many as less likely. Among the classified material leaked are found, for example, PowerPoint presentations, not in most observers' view the sort of thing one would find on a staging server.

Dave Bittner: [00:03:12:20] So an insider feeding a state actor seems likely. At Black Hat last week the ShadowBrokers were given a Pwnie Award. The Pwnies always credit an individual or group for a real or a dubious achievement. The credit line on the ShadowBrokers' prize was "The Russians. Straight up: the Russians."

Dave Bittner: [00:03:32:02] Another apparent hack, this one on an individual, legitimate security analyst, came to light early today. A Mandiant analyst's personal accounts were seemingly breached, with doxing carried out on Pastebin by a person or persons calling themselves "the 31337 Hackers." The doxing was, they say, part of Operation #LeakTheAnalyst. They also claim to have breached Mandiant systems some time in 2016, but there are no documents posted so far that suggest this is anything beyond extravagant boasting.

Dave Bittner: [00:04:04:13] Mandiant is a unit of FireEye, and FireEye says it's found no evidence that any of its systems or networks were compromised, but, of course, an investigation is in progress.

Dave Bittner: [00:04:15:04] As far as declared motivation, the 31337 Hackers say they've long resented legitimate security analysts and have decided to target them as individuals. The communiques that accompanied their Pastebin doxing aren't quite written in ShadowBrokerese, but they are some similarities. One of the ShadowBrokers' linguistic stigmata is a mangled plural, as in their use of "peoples." There are signs of this in what the 31337 Hackers have to say. For example, "This documents describes some of the key events of the past two months related to cyber espionage". Not quite as mannered and contrived as the ShadowBrokers. Indeed, it's within the range of what one might see in an undergraduate's term paper, but still, Operation #LeakTheAnalyst" will bear watching.

Dave Bittner: [00:05:02:03] Researchers have offered electrical utilities advice on how to discern early signs of cyberattacks similar to those that have afflicted Ukraine. Dragos and others warn that the malware employed is readily adaptable to grid targets anywhere. Such targets need not be older forms of power generation and distribution. Wind farms, for example, are also susceptible to attack.

Dave Bittner: [00:05:24:19] WannaCry and NotPetya owed some of their wildfire spread to their worm-like functionality. Flashpoint researchers warn that the venerable banking malware Trickbot, venerable in malware terms - it's been around for more than a year, has adopted some similar techniques to enable its own dissemination. It's now being found in a much wider geographical region. Some US banks have seen incursions, which is relatively new.

Dave Bittner: [00:05:50:21] The effects of NotPetya continue to be felt. At the end of last week pharmaceutical company Merck disclosed that its manufacturing had been disrupted and has yet to fully recover. Merck warns that the attack can be expected to have material effects on the company's performance. It can be expected that more companies will warn over the coming month.

Dave Bittner: [00:06:09:04] Sweden's large government data breach has resulted in two more departures from that country's cabinet. The ministers responsible for home affairs and infrastructure have both left the government. The breach involved Sweden's transportation agency. It began in 2012, was detected in 2016, and is not expected to be fully remediated for some months yet.

Dave Bittner: [00:06:32:19] The cause of the data exposure is being put down to improper supervision of a $100 million deal with IBM, to handle driver's licensing and vehicle registration. The agency failed, apparently, to control what data it handed over and how the data were controlled. The Swedish Prime Minister called the breach of information, “a total breakdown,” saying, “It is incredibly serious. It is a violation of the law and put Sweden and its citizens in harm’s way.” The head of their Security Service said, “This is very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.”

Dave Bittner: [00:07:08:06] Sweden's transportation agency handles data such as the weight capacities of roads and bridges, potentially useful to an invader, and the type, model, weight, operations and condition of government and military vehicles, from which, among other things, order of battle could be inferred. There was also much private information at risk, including the names, photos and home addresses of air force pilots, anyone in police registers, people in witness relocation programs and members of Swedish special operations forces.

Dave Bittner: [00:07:38:18] ISIS has lost most of its core territory. Observers expect that the terrorist group will make some attempt to reconstitute its claims to being a renewed Caliphate through its online presence.

Dave Bittner: [00:07:50:18] Small businesses can be hit hard by ransomware, but Nextgov reports that the widely quoted statistic that 60% of the businesses so hit go under within six months is exaggerated. The publication says it's working to run the stat to ground but that it's symptomatic of the shaky information that circulates in the cyber sector.

Dave Bittner: [00:08:10:16] Finally, you may have heard that North Korea not only tested an ICBM at the end of last week, but that it's got an aggressive nuclear weapons program, too. How does Pyongyang finance that program? In significant part through cybercrime. A particular favorite of DPRK hackers appears to be online poker.

Dave Bittner: [00:08:34:12] Now another message about some research from our sponsor Cylance. You know good policy is informed by sound technical understanding. The crypto wars are not over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They've concluded that recent efforts by governments to weaken encryption introduce exploitable vulnerabilities into applications and develop nation state dragnet surveillance programs will do little to sty me the rise in terrorists attack. adversary communiques within a massive cloud of noise. Back doors for the good guys mean back doors for the bad guys and it's next to impossible to keep the loan wolves from hearing the howling of the pack. Go to and take a look at their blog for reflections on surveillance, censorship and security, that's and we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:05:19] These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiques within a massive cloud of noise. Backdoors for the good guys mean backdoors for the bad guys, and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to and take a look at their blog for reflections on surveillance, censorship and security. We thank Cylance for sponsoring our show.

Dave Bittner: [00:09:42:10] I'm pleased to welcome back Malek Ben Salem. She's the R&D Manager for Security at Accenture Labs. Malek welcome back. Today we wanted to talk about some interesting stuff that you've all been up to at Accenture with Global ID Systems for refugees. Tell us about that.

Malek Ben Salem: [00:09:56:20] ID 2020 is a global public private partnership, dedicated to solving the challenges of identity so faced by billionaire people around the world. At that ID 2020 Conference, Accenture announced a new global ID system for refugees, that is built on blockchain technology. The choice for blockchain technology is because it's distributed and therefore available most of the time, but it also has some capabilities that allow the data owner to have control over what records get shared with whom. We know that refugees face significant problems because they lose their proof of existence, their proof of identity in zones of war and crisis, and so they need a way to establish that identity in order to get services such as education and health care services, provided by the UN or by other organizations. This new technology, this new global system, should be able to help them establish their identity as they cross borders.

Dave Bittner: [00:11:17:09] So take me through, from a practical point of view, how exactly does it work. I'm a refugee, how are you going to establish an ID for me?

Malek Ben Salem: [00:11:26:01] So you would sign up with your biometric data - it could be your fingerprint or your iris scan, or some biometric data, to establish that identity, but also organizations that have access to your records, let's say the school that you went to which has access to your diploma, would sign up to the same system and would share that data to verify that you have that record. So the data would stay off blockchain, but the verification happens through the blockchain.

Dave Bittner: [00:12:02:20] Is it a situation where, through various types of data, the strength of the certainty of that ID gets improved over time?

Malek Ben Salem: [00:12:14:12] Yes, as more additional pieces of information get gathered, but also it's the scale as more people get signed up to this tool then it could be offered to everybody, not just refugees. It's a way of having a digital identity where you keep all of your records in one place and you don't lose them for any reason. We're seeing more instances of this. For example, through the Swiss town, that is known as the Crypto Valley of Switzerland, has announced that it will provide all of its citizens with a digital identity on the Ethereum blockchain by September 2017. So I think we're going to see more of this trend in the near future.

Dave Bittner: [00:13:07:17] Interesting stuff. Malek Ben Salem thanks for joining us.

Dave Bittner: [00:13:13:17] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor Cylance. To find out more about Cylance and how they can help protect you using artificial intelligence visit

Dave Bittner: [00:13:30:18] Don't forget to check out the Grumpy Old Geeks podcast, where I have a regular segment called Security Hob. It's a good time, we hope you enjoy it. And also don't forget to check out the Recorded Future podcast. I'm the host there as well. The subject is Threat Intelligence.

Dave Bittner: [00:13:43:08] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.