The CyberWire Daily Podcast 10.10.17
Ep 451 | 10.10.17

Cyberespionage in the Korean peninsula. Russian influence operators bought Facebook, Google ads. Forrester hacked. Kovter, OilRig get upgrades. US CYBERCOM CSM notes.


Dave Bittner: [00:00:00:22] A big thank you to all the people who have signed up to support us on Patreon, we're getting new people signing up everyday. You can join all of these smart and attractive people who've chosen to show their support of the CyberWire at

Dave Bittner: [00:00:17:14] North Korea may have hacked into South Korean defense plans. Facebook and Google receive increasing scrutiny for Russian ad buys during the 2016 US election season. A dissident Chinese billionaire exiled to New York says he's been under cyber attack from Shanghai. OilRig is back with new and improved cyber espionage. Forrester market research reports are accessed by hackers. And we offer some observations from the Cyber Pavilion at the Association of the United States Army meetings.

Dave Bittner: [00:00:52:05] A quick note about our sponsors at E8 Security, they understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that, while we might assume supervised machine learning – where a human teaches the machine – might seem the best approach, in fact unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:59:09] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 10th, 2017.

Dave Bittner: [00:02:10:06] Amid tensions over North Korea's increasingly capable missile and nuclear arsenal, reports out of South Korea indicate that someone has successfully hacked into some of Seoul's defense planning files. Reports from both France and South Korea say that some 235 gigabytes of sensitive data were accessed in September of last year. They included detailed war plans to be used in the event of a North Korean attack, including plans for a decapitation strike against North Korean leadership. Such a strike would be designed to destroy the Kim regime and with it, presumably, the North's ability and willingness to continue a war that recent tests and threats suggest could rapidly escalate to nuclear attacks on South Korea.

Dave Bittner: [00:02:54:12] Some sources indicate the hackers were based in China, and there's some uncertainty as to attribution, but North Korea seems the obvious suspect to observers. Some of Pyongyang's cyber operators are known to work from China.

Dave Bittner: [00:03:09:06] Turning to presumed Russian attempts to influence US elections, Facebook initially seemed uncertain that Russia had been behind some of the election-season influence operations the social media company found itself enmeshed in last year, at first pulling attribution to Russia from early versions of its report on the matter. The company now has said there were Russian advertising purchases. Google is also facing renewed scrutiny over Russian ad buys.

Dave Bittner: [00:03:35:21] The amounts bought seem relatively small: "sub-hundred-thousand-dollar purchases," as people are saying. This would be not particularly significant in the context of typical election spending. The reports on where the ad money from Russia went are interesting, and probably instructive. The messages supported Donald Trump, but also insurgent independent-running-as-a-Democrat Bernie Sanders and Green Party candidate Jill Stein. Some reports suggest that the buyers regarded all three as probably also-rans.

Dave Bittner: [00:04:07:17] Chinese sources deny involvement in apparent cyber attacks directed against a Chinese businessman who's been critical of alleged corruption in PRC leadership. Guo Wengui, a billionaire currently residing in New York and asking for political asylum; he's facing an indictment in China on corruption charges himself. The incidents were directed at organizations associated in some way with Mr Wengui. A Hudson Institute event was canceled after an apparent DDoS campaign mounted from Shanghai, and a second unspecified incident is said to have led the law firm Clark Hill to withdrawing representation from him. They'd earlier lodged his asylum claim.

Dave Bittner: [00:04:48:12] Guo Wengui has accused China's ruling Communist Party of being a kleptocracy. Chinese officials deny involvement in any of the alleged incidents, and say they've had nothing to do with any cyber attacks the exiled billionaire may have faced. The Chinese Ministry of Public Security said, “the Chinese government would like to suggest that the US law enforcement authorities supply China with the detailed information, relevant clues and evidence, so that China could assist in the investigations to identify the real source of such hacking.” The Ministry said they'd cooperate with US investigators.

Dave Bittner: [00:05:23:22] Palo Alto Networks reports that the OilRig threat group, prominently involved in hacking Middle Eastern targets, is back, with an enhanced set of Trojans in its tool bag. The OilRig cyber espionage threat group is widely believed to be operating on behalf of the Iranian government. Its targets have prominently included Saudi Arabia and other regional rivals. They're using new infection documents and a new injection Trojan.

Dave Bittner: [00:05:51:00] Forrester, the market research firm, has disclosed a breach in which unauthorized parties obtained access to the company's reports. It was apparently a case of credential theft. Forrester says the hackers obtained credentials that enabled them to get the reports. The company stressed that, "There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident."

Dave Bittner: [00:06:17:20] When it comes to online authentication and identity we probably pretty much agree that a simple user name and password combination just doesn't cut it these days. With more data and services moving to the cloud, the notion of simply protecting your perimeter can get a bit cloudy.

Dave Bittner: [00:06:36:19] Yassir Abousselham is Chief Security Officer at Octa where one of their specialties is identity management, and he offers his perspective.

Yassir Abousselham: [00:06:44:03] When you take a look at where we came from as an industry, in the past we had a handful of enterprise applications that were on premise and to be able to access those services you would have to be within the network perimeter. Things have changed for the last decade, so a lot of the applications are now outside the network perimeter. Some of those applications are managed by IT, and some other applications are managed by the user. So the users essentially are defining their requirements and looking for applications that meet those requirements that allow them to do their jobs. So, in a way, IT does not have 100% control over accounts that are used to either access corporate data, or to manage all the transactions that the business user has to carry out on a daily basis.

Dave Bittner: [00:07:36:11] So are we talking about cloud based services, things like Gmail, Dropbox, things like that?

Yassir Abousselham: [00:07:42:23] That is correct. Those services could be application services such as Dropbox, Gmail, Concur, and so on but we're also talking about infrastructure services such as AWS.

Dave Bittner: [00:07:55:24] And so as we've gone to these online and cloud based services, has the role of identity changed or kept up?

Yassir Abousselham: [00:08:05:09] The role of identify is changing in a way that it's becoming the cornerstone of the security strategy of every enterprise. So when you think about it the network perimeter is eroded, since now we cannot protect services that are posted within the perimeter. And most of those services are migrating to the Cloud and no longer hosted on premise and so cannot rely on the network perimeter to protect access to those services. As these services move to the Cloud, the users and user accounts are also located in the Cloud so they are outside of the network perimeter and really the identity is the only element that we can control where we need to focus our security controls. That's why a lot of the companies right now rely heavily on identity as a service as I mention a cornerstone of their identity and security strategy.

Dave Bittner: [00:09:03:05] So beyond the old school username and password, we have things like multi-factor and biometric authentication. What sorts of things are on your radar?

Yassir Abousselham: [00:09:14:23] The first thing that we need to consider is the fact that we need to implement this layer between the business user and all of the services that we need to access. That layer can be in the form of single sign on, in a way that we need to maintain a single user account for all of these services that the business users need to do their jobs on a daily basis. The second thing that we need to add is multi-factor authentication. So now we believe the cyber attacks are increasing in numbers and in sophistication. We need to add multi-factor authentication as a reader requirement to be able to protect access to these services. And because of the fact that the number of attacks and the sophistication of the attacks is increasing, multi-factor authentication is now required. And that's just one element and one layer that we need to add to our security strategy to properly secure access to the enterprise assets.

Dave Bittner: [00:10:17:17] That's Yassir Abousselham, he's the CSO at Octa.

Dave Bittner: [00:10:21:21] Proofpoint warns that purveyors of Kovter malware are running a new aggressive campaign; its apparent goal is ad fraud.

Dave Bittner: [00:10:30:08] We've been down in Washington DC, covering the Association of the United States Army's annual meetings from the Military Professionals Cyber Association's Cyber Pavilion. We'll have some extensive accounts of the sessions later this week, but wanted to share a brief account of Command Sergeant Major David Redmon's presentation yesterday on the current state of US Cyber Command. He's the senior non-commissioned officer at both US Cyber Command and the National Security Agency.

Dave Bittner: [00:10:58:15] He began with a caution for military people thinking about cyber operations, "It's easy to become intimidated by the technology," he said. But in his experience the commands that are most effective operating in cyberspace are those that take their existing processes and apply them to the domain. Cyber effects bear strong comparison to kinetic effects, and this should be borne in mind when thinking about cyber operations. The cyber operators themselves, he said, need to remember that there's a "so-what" to their craft. They have to bear in mind that they're working in support of larger goals. It's not, he said, just a matter of high-fiving when you've succeeded in doing something to a box somewhere.

Dave Bittner: [00:11:40:00] He also confirmed what many others have observed: there's a strong convergence between cyber operations and more traditional intelligence and electronic warfare disciplines. And he echoed a familiar call for more effective use of artificial intelligence to free operators from the repetitive tasks they find themselves involved with. We'll have more on this and other presentations later this week.

Dave Bittner: [00:12:06:06] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent Cylance protect engine into virus total. You'll know VirusTotal is the free online service that analyses files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Well Cylance has pledged to help Virus Total in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace: free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:13:05:21] And joining me once again is Chris Poulin, he's a principal at Booz Allen Hamilton Strategic Innovations Group. He heads up their Internet of Things security team. Chris, welcome back. We want to touch on medical devices today. We've seen stories recently about pacemakers and insulin pumps. What's your take on where we are when it comes to protecting connected medical devices?

Chris Poulin: [00:13:28:03] Yeah, it's interesting, it's sort of the new frontier right now. As a matter of fact at DEF CON we saw that there was a biohacking village around different types of implantables, and I know that the medical device manufacturers are highly concerned about the security of their devices. It's kind of interesting though, it's sort of a mixed bag between implantables, everybody sort of seems to focus on pacemakers and insulin pumps and all the things that have a direct consequence on the humans who are wearing those devices, but there are also other things like infusion pumps and MRI machines and x-ray machines are also connected.

Chris Poulin: [00:14:02:02] And so on one hand we want to protect the patients, but on the other hand the thing that concerns me quite a bit is that even just an infusion pump – and one of the security researchers not too long ago found that it was listening on Telnet without a username or password. So you could Telnet to the device and they would drive you to a word show. And so, you know, the things that scares me the most is that if you were in a hospital and even if you're not at risk of somebody turning up the infusion pump and giving you dose after dose after dose, the attackers are still using those things as a front door to get into the medical networks and eventually get to the billing systems and to the electronic medical records which we know are worth a lot more on the black market than credit cards are. And in fact there was a research I think in 2015 where some security researches when on Shodan and they found that 68,000 medical devices were actually exposed to the Internet that provided an access point to get into a health care network.

Chris Poulin: [00:15:03:01] I think the thing that we're focusing on is not just looking at what can happen from a gee whiz perspective or a shock and awe factor – literally, when we talk about pacemakers, no pun intended – but also the fact that medical devices themselves are there, far and wide and scattered amongst different places and not just the big hospitals but also the small caregivers who may or may not understand cyber security in the first place. And that exposes medical records. So that's one of the things that we've been doing is working quite a bit on trying to find vulnerabilities in devices, profile them, but also put in place technical stacks that help to identify the medical devices and appropriately isolate them so that they're not directly on the same networks as information that's valuable to cyber criminals.

Dave Bittner: [00:15:51:09] All right interesting stuff. Chris Poulin thanks for joining us.

Dave Bittner: [00:15:56:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence visit

Dave Bittner: [00:16:08:20] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.