The CyberWire Daily Podcast 8.14.17
Ep 412 | 8.14.17

Charlottesville hacking. Operation #LeakTheAnalyst. Dissatisfied customer calls ShadowBrokers a "ripoff." More HBO leaks. Google purging SonicSpy. Collusion attacks. Marcus Hutchins in court.


Dave Bittner: [00:00:01:03] If you go to, you can find out how to become a contributor, and at the $10 per month level you gain access to the ad-free version of the show. It's the same CyberWire, just without the ads. So check it out: Thanks.

Dave Bittner: [00:00:21:05] Online reactions and hacks in response to the Charlottesville rioting and homicide. Operation #LeakTheAnalyst releases another, smaller, set of documents. The ShadowBrokers get some poor customer reviews for their Exploit-of-the-Month Club. Reputation matters in dark web markets. Google ejects SonicSpy-infected apps from the Playstore. More HBO leaks, but no new messages. Oxford researchers describe Android library collusion attacks, and fellow security researchers can't believe Marcus Hutchins would wittingly do what the Feds accuse him of.

Dave Bittner: [00:00:58:01] And now something about our sponsors at E8 Security. We've all heard a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well, no thinking person believes in panaceas, but AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is, and machines are great at that kind of base-lining.

Dave Bittner: [00:01:24:20] For a guide to the reality, and some insights into how these technologies can help you, go to, and download E8's free white paper on the topic. It's a nuanced look at technologies that have both future promise and present payoff in terms of security. When you need to scale scarce human talent, AI and machine learning are your go-to technologies. Find out more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:02:04:21] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, August 14th, 2017.

Dave Bittner: [00:02:15:06] The weekend's sad riot and homicide in Charlottesville, Virginia, reverberate in social media with outing of rioters and so on. Anonymous has protested the neo-Nazi rally that prompted the disturbance. They did so with a distributed denial-of-service attack against Charlottesville municipal websites in what they're calling Operation Domestic Terrorism, which seems wayward in its choice of target, since the Charlottesville city government certainly had nothing to do with welcoming or encouraging neo-Nazis. GoDaddy has ejected the Daily Stormer from its hosting service, telling the neo-brownshirt site to find itself another place on the web.

Dave Bittner: [00:02:56:15] The hackers working the #LeakTheAnalyst campaign (afflicting minor pain on FireEye) released another small cache of material, only a fraction of which alludes to the company. Motherboard puts the total size of the dump at just three megabytes, but the hackers represent it as an exposé that FireEye's account of the incident is hooey. The hackers' diction has grown more ShadowBrokerish (although in fairness the Brokers are in general less obscene).

Dave Bittner: [00:03:23:07] They explained on Pastebin: "Guess what? We're going to punish the liars, the fat riches who care only about their stock shares." There's a bit more, including a motto ("In Blackhats we trust") some reviews of various journalists who've covered the campaign (mixed reviews, but more thumbs-down than thumbs-up), and in a kind of credit reel, the hackers give "special thanks" to APT28 and the ShadowBrokers. APT28, of course, is the group also known as Fancy Bear, by consensus Russia's GRU military intelligence agency.

Dave Bittner: [00:03:57:21] FireEye most recently reported on APT28 in a blog post last week in which they outlined the groups' operations against hotel Wi-Fi systems in Europe and the Middle East. Their conclusions, among others, noted APT28's use of EternalBlue exploits to propagate spyware across hospitality networks. EternalBlue is the Equation Group code leaked this spring by the ShadowBrokers.

Dave Bittner: [00:04:21:14] FireEye is investigating this latest round of doxing Operation #LeakTheAnalyst; their response is expected soon.

Dave Bittner: [00:04:28:24] Speaking of the ShadowBrokers, they themselves haven't been heard from much so far this month, but of course it's still early. They should resurface with the approach of September, but their wares are getting some poor reviews on Steemit. "A ripoff," one dissatisfied customer writes with dismissive disgust. His review pertains to the June Exploit-of-the-Month delivery: "TheShadowBrokers ripped me off. I paid 500 XMR for their “Wine of the Month Club” and only they sent me a single tool that already requires me to have a box exploited. A tool, not even an exploit! The tool also looks to be old, and not close to what the ShadowBrokers said could be in their subscription service."

Dave Bittner: [00:05:08:20] So there you go: caveat emptor. Spend your money elsewhere, kids. The Brokers may not really need all that cryptocurrency anyway, whatever wolf tickets they may be passing out on dark web markets.

Dave Bittner: [00:05:22:02] If the ShadowBrokers were seriously in the money-making business, which they actually may be, all appearances to the contrary and unlikely as that seems, they might be concerned about the low degree of customer satisfaction such reviews might indicate. A team of sociologists' study concludes, in illegal markets, reputation is everything. Negative reviews in dark web markets may be one way of hitting otherwise inaccessible dealers. The research, which is being reported in the Journal of Quantitative Criminology, looked at illicit transactions in opioids conducted over dark net marketplaces.

Dave Bittner: [00:05:56:09] The transactions involved 57 sellers and just over 700 buyers. First-time buyers, and those were 82% of the buyers over the course of the six-month study, were found to value the seller's trustworthiness, as measured by the uncertain yardsticks of buyer reviews and scores, even more than they valued a bargain. So reputation in the dark web equivalent of Yelp mattered more than low prices. There's some suggestion that law enforcement might seek to manipulate ratings to disrupt illegal markets. It's an open question whether buyers of malware or cyberattack services are motivated in the same ways opioid buyers are. The question seems worth asking.

Dave Bittner: [00:06:37:04] "Mr. Smith" has leaked more stolen HBO material. No Game of Thrones this time, but episodes from Ballers, Barry, Curb Your Enthusiasm, Insecure, Latino Shorts, Room 104, and The Deuce. There are also some apparent HBO internal documents in the leak. Unlike the first two rounds of HBO leaks, there were no boasts, demands, or other special messages from "Mr. Smith."

Dave Bittner: [00:07:01:11] Google has purged a number of SonicSpy-infected apps from the Play Store. Researchers at the security firm Lookout last week reported finding about a thousand such infestations, and clean-up proceeds.

Dave Bittner: [00:07:13:24] Oxford University researchers are describing "collusion attacks" in a proof-of-concept that shows Android libraries could be exploited to reveal data to unauthorized services when libraries are shared among several apps.

Dave Bittner: [00:07:27:17] In industry news, two startups announce new funding: Wickr has raised $8.8 million; Dragos $10 million.

Dave Bittner: [00:07:37:11] And finally, Marcus Hutchins, the accidental hero of the WannaCry kill switch, is due to appear in a Milwaukee court today. Hutchins continues to receive widespread support among security researchers, mostly on the ground that those who know him - and a lot of people do - simply can't believe he'd wittingly and intentionally be involved with the sale and distribution of the Kronos banking Trojan.

Dave Bittner: [00:08:04:05] Now I'd like to tell you about an upcoming webinar from our sponsor Delta Risk. With threats to the healthcare industry at an all-time high, IT and information security professionals in hospitals, healthcare provider firms, and insurance firms have more concerns than ever about patient data and business continuity. In the 45-minute webinar, Preparing For Cyber Risks To Healthcare Operations: Be Ready, Not Sorry, experts from Stanford Children's Health, Delta Risk, and Huntzinger Management Group will discuss essential elements of how to respond to a cyber attack and properly prepare a business continuity plan.

Dave Bittner: [00:08:39:05] Save the date for August 23rd at 1pm ET, by visiting Delta Risk LLC, a Chertoff Group company, is a global provider of cyber security services to commercial and government clients. Learn more about Delta Risk by visiting, and reserve your seat for this interactive discussion. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:09:10:03] And joining me once again is Robert M. Lee - he's the CEO at Dragos. There was a recent incursion into some Irish and UK power grids, but there were some particularly interesting details about these attacks. What can you tell us about that?

Robert M. Lee: [00:09:25:04] So the intrusions that were reported specifically talked about intrusions in the power companies themselves. We don't know if it made it into the industrial control system environments yet, which would give us even more pause, but there was discussion about targeting the integration firms and engineering firms, and as we talked about last time, that is the type of information that we don't want to see stolen, because it could help adversaries potentially move into a Stage II type ICS attack.

Robert M. Lee: [00:09:51:01] What that really means, to sort of break that down further, is in the industrial control system environments, these are very weird and different environments than IT. They're very different from each other as well - there's no real ICS community; there's all sorts of little sub-communities inside of that - and one substation of the power grid, compared to another substation, even of the same company, in that same region, could be vastly different, not only in vendors but integration, and physical equipment, and physical process, in how they're producing and distributing electricity.

Robert M. Lee: [00:10:23:14] And so, for an adversary to really do disruption or damage inside one of these environments, they've got to capture the understanding of that specific industrial process they're going after. Scalability is possible, as we saw with the crash override case in the Ukraine 2016, but it's not trivial. So the more you scale it, the less disruptive or damaging it's going to be by resource expenditure.

Robert M. Lee: [00:10:46:20] So, going back to this third-party concept, it's important for industrial asset owners and community members to understand some of the most sensitive information about their industrial environments aren't contained in the ICS itself. Your IT networks probably have very sensitive information around how you're using the ICS, like billing, and how you identify how much power you're distributing to your local neighborhoods, or how many cookies you're pulling off the manufacturing line, but at the same time, your integration firms, and engineering firms, and their party folks have all your technical details around how the network was built.

Robert M. Lee: [00:11:20:14] So if you combine the IT knowledge that has some ICS impact in it, you combine the integration in these third-party firms, and you combine what's going on inside the ICS once you've sort of ground through it, with those three data sources, you can start designing some attacks. So I usually recommend to folks, for those third-party assessments, really the IT/OTPs, you have just got to get that bridge built inside your own organization.

Robert M. Lee: [00:11:43:12] With those third-party sources, that's where we need to start seeing things like better service level agreements, and an understanding that if breaches occur in an integration or engineering firm, then their customers need to be immediately notified, and they should already have good forensic practices set up in their environment to understand what was taken, and who might be at risk.

Dave Bittner: [00:12:01:16] All right. Interesting stuff. Robert M. Lee, thanks for joining us.

Dave Bittner: [00:12:07:07] And that's The CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit A reminder that if you're interested in threat intelligence, you should check out the Recorded Future podcast, where I am also the host. You can find out more about that at .

Dave Bittner: [00:12:35:22] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.