The CyberWire Daily Podcast 2.24.16
Ep 42 | 2.24.16

Operation Dust Storm vs Japan. Operation Blockbuster vs. The Lazarus Group. Venture capital gets tight.


Dave Bittner: [00:00:03:06] Operation Dust Storm kicks up a ruckus in Japan's critical infrastructure, The Lazarus group said to be working on behalf of North Korea is described by an industry consortium working as Operation Blockbuster. Malware is increasingly industrialized and professionalized. Apple returns the FBI's serve releasing a list of other requests pending under the All Writs Act. Venture capital may be getting tighter and acquisitions more attractive. And, finally, parents, your kids' smartphone isn't just a pricier library card.

Dave Bittner: [00:00:34:15] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation, and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:00:57:12] I'm Dave Bittner in Baltimore, with your CyberWire summary for Wednesday, February 24th, 2016.

Dave Bittner: [00:01:03:11] Some news on major threat actors breaks today. Cylance reports that Operation Dust Storm, a multi-year, complex campaign, is systematically pursuing data from electric utility, oil and gas, finance, transportation and construction companies. The point of entry is Japan, but the companies targeted have operations or connections that extend throughout Europe, Asia and North America. Following its normal caution about attribution, Cylance says indications are that the actor is a nation-state, but it explicitly declines to name one. Cylance has told us on more than one occasion that it believes attribution is difficult, that evidence is too easily spoofed, and that there's a hasty rush to judgment, and that after all attribution is best left to people who "wear badges and carry guns" - that is, to law enforcement authorities. Their commendable reticence of course hasn't stopped general speculation about China and North Korea as the usual suspects.

Dave Bittner: [00:01:58:10] Some of the more interesting features of Operation Dust Storm included complex attack modes, spearphishing, water-holes, backdoors, and zero-days have all been used to compromise corporate networks and Android devices, and its use of attack code that appears to have been customized to particular targets. You can find details at Such customization is not confined to Operation Dust Storm either. Webroot in its 2016 Threat Brief concludes that malwares’ increased tailoring to specific endpoints is now effectively "rendering signature-based security virtually useless."

Dave Bittner: [00:02:32:12] The other big threat actor news comes from the industry consortium that's been working on the so called Lazarus Group led by Novetta with participation from Symantec, Kaspersky, AlienVault, Invincea, ThreatConnect, Volexity and PunchCyber. Operation Blockbuster has published its results. The researchers find that the Lazarus Group has been active in cyber espionage since 2009, and that it participated in the Sony hack of November 2014. They traced the group to North Korea, no reticence here, and sight reused code and common pass-words among the principle pieces of evidence.

Dave Bittner: [00:03:06:10] Much malware is now being open-sourced in criminal markets. Various precincts of the Dark Web functioning effectively is a R&D shop for cyber gangs. The same collaboration and intelligence sharing that benefits legitimate work like that done by Operation Blockbuster can also be turned to elicit purposes. BAE's head of cyber threat intelligence sees an increasing professionalization of cyber crime with malware production becoming industrialized. The CyberWire spoke briefly with Loucif Kharouni, senior threat analyst with Deloitte Cyber Risk Services who described how crimeware and botnets are now being offered on a as-a-service basis.

Loucif Kharouni: [00:03:41:10] At Deloitte, we can see two big groups. One is a group of very professional, dedicated criminals who owns what they do meaning they own the malware itself, malware that are not sold on forms to anyone, and then you have another group where you have this set of criminals creating malware and sending the toolkit to other users in forms, but at the same time they are also using it for themselves. And then you have the third set of people who are just the users, people buying toolkits and services around. So, at the end of the day if you have the means, you can have your whole botnet set up without any intervention from you. I don't think we talk enough about it, and about this new community coming into this business. We already know the ones that are into this business for a long time. The scary part is the ones coming because there are so many and it's so open. There are so many services that are not necessarily expensive, but for a few hundred bucks you can have a botnet set up and running probably even for less.

Dave Bittner: [00:04:50:22] An ESET-sponsored study in the UK suggests that the average age at which children first get their smartphone and with the ability to surf and download pretty freely is 10. Parents it seems are coming to regard a phone as a more expensive library card. That it's more than a library card and probably deserves to be managed with considerably more circumspection may be seen in the continuing story of uKnowKids, the firm that offers online child safety monitoring. UKnowKids has accused MacKeeper researcher, Chris Vickery, with breaching its networks. Vickery says, he found an exposed database and that uKnowKids security is at fault. In any case, some 1700 kids' data seemed caught in the middle.

Dave Bittner: [00:05:30:09] In patch news, Microsoft updates its immense security software, and the old familiar Drupal 6 content management framework reaches the end of its life today. It will no longer be patched or upgraded.

Dave Bittner: [00:05:42:02] In industry news, some analysts see a slow down in the rate at which venture capital is flowing into cyber security start-ups. The immediate effects of the slow down are being seen in start-ups cutting operating budgets and in a spike of M&A interest. There is indeed a spike in M&A news and rumor this week. Blackberry has brought British cyber security consultancy, Encription, and Thycotic is reported to have picked up Windows endpoint security and application control software shop, Arellia. The biggest news in this area, however, is still in the realm of rumor. IBM is thought to be about to buy Resilient for a reported £100 million. Resilient is best known as the corporate home of security guru, Bruce Schneier.

Dave Bittner: [00:06:22:06] In the U.S. the stand-off between Apple and the FBI continues with Apple getting in the latest volleys in their public exchange. The company's lawyers have released a list of 12 devices for which Apple has received requests for assistance under the All Writs Act which suggests that there may be more at stake here in terms of precedent than the Justice Department has been wont to indicate.

Dave Bittner: [00:06:44:06] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning, co-working space, incubator and campus for technology and entrepreneurship located in the federal hill neighborhood of downtown Baltimore. Learn more at

Dave Bittner: [00:07:02:19] Joining me is John Petrik, Editor of the CyberWire. John, it seems like we're seeing more and more stories that are sort of wrapped around social media and how that affects information ops?

John Petrik: [00:07:11:13] We certainly are. One of the things that's been striking about ISIS, has been that it is not so much operated on a traditional command and control model, where people are being formally tasked and given orders, and so on and so forth, but rather it's been organized on a cellular basis and it's relied on inspiration. So, this is concerning people, and this is the kind of thing that people are hoping for an answer to.

Dave Bittner: [00:07:31:24] And, this leads us to Twitter. Twitter's taken some heat lately for how they've handled removing accounts.

John Petrik: [00:07:37:19] Right. For one thing, Twitter is one of the companies that's been asked by the government, in the government's general push to help us do something about the ISIS narrative, about extremist narratives. So, Twitter has been blocking accounts that are associated with ISIS. In fact, there was some news earlier this week that actually came out of the program at George Washington University, the program on extremism, that said that Twitter had successfully suspended about 125,000 accounts linked to terrorists. So, what Twitter is interested in doing is shutting down what it takes to be certain kinds of obnoxious behavior. So, it formed--, and the name of this has been unfortunately received by people what it calls a trust and safety council in which it's assembled a group of various activists, stakeholders, and so on and so forth, and they've assembled that earlier this month to go through and look for accounts that are abusive. So, the complaint and the stick that Twitter is getting from the bloggers generally, is that it seems that the members of the trust and safety council are probably disproportionately going after ideological disagreement, at least as much as they're going after things that any fair-minded person would recognize as trolling, or threats of violence and so forth.

Dave Bittner: [00:08:50:07] Is there a sense that Twitter is having any success in eliminating these accounts, is it making a difference?

John Petrik: [00:08:56:18] Well, I mean, the George Washington University program thinks that they did a good job in getting rid of those 100,000 plus accounts that were associated with ISIS, and George Washington has also said publicly that they think that there are fewer accounts and there's less of this kind of inspiration traffic coming out of Syria. On the other hand, there were two groups in Baghdad that just swore allegiance to the local affiliate of Al-Qaeda. Where was this announced? In the Al-Qaeda official Twitter feed, and that doesn't mean that Twitter is ill-willed or incompetent or that it's been subverted, it just shows that this is not an easy task.

Dave Bittner: [00:09:35:20] John Petrik, thanks for joining us, and that's the CyberWire. For links to all of today's stories along with interviews, our glossary, and more visit the The CyberWire podcast is produced by CyberPoint International, and our Editor is John Petrik.

Dave Bittner: [00:09:51:06] I'm Dave Bittner. Thanks for listening.