The CyberWire Daily Podcast 2.20.18
Ep 539 | 2.20.18

SWIFT fraud in India. DPRK hacking updates. Notes on Russian influence ops, both indictments and continuing activity. Alleged Florida gunman may have been an Internet known wolf.


Dave Bittner: [00:00:00:20] Thanks again for all of our Patreon supporters. You can find out how you can become a supporter at

Dave Bittner: [00:00:10:24] Swift fraud hits an Indian lender. North Korean hacking continues even during the DPRK's Winter Olympics charm offensive. The U.S. indicts Russian influence operators. The Internet research agency is the leading defendant. Russian trolling continues exploiting the Florida school shooting. And the alleged shooter apparently expressed his intentions online. And all Five Eyes see Fancy Bear behind NotPetya.

Dave Bittner: [00:00:41:14] And now a moment to tell you about our sponsor, ThreatConnect. They've teamed up with Domain Tools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it. And in order to stay ahead of malicious actors, it is crucial that security teams add context and enrichment to their threat data.

Dave Bittner: [00:01:02:02] The combination of the ThreatConnect threat intelligence platform and Domain Tools Iris investigative platform empowers security professionals to hunt APTs efficiently and effectively.

Dave Bittner: [00:01:13:12] Watch director of Product Integrations and Domain Tools, Mark Kendrick, and threat intelligence researcher at ThreatConnect, Kyle Ehmke, as they explain how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and Domain Tools work together to enable thorough domain actor and IP investigations. You can check it out today at That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:57:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, February 20th, 2018.

Dave Bittner: [00:02:07:11] In 2016, the Bangladesh bank was the victim of fraud committed via the SWIFT International Fund Transfer system. Recently banks in Russia have reported similar fraudulent transfers and over the weekend a small, commercial lender in India, also reported robbery through Swift exploitation. On Sunday that country's City Union Bank said cyber criminals had hacked it's systems, and transferred nearly $2 million in three unauthorized remittances to lenders oversees.

Dave Bittner: [00:02:36:10] The bank blocked one of the transfers. $500,000 designed to move through a Standard Chartered bank account in New York, to a lender based in Dubai.

Dave Bittner: [00:02:46:19] A second transfer, 300,000 Euros, roughly $372,000, was routed through a Standard Chartered bank account in Frankfurt to an account in Turkey. In this case the Turkish lender involved prevented the transfer from being finalized. The third transfer went through. It traveled to the Zhejiang Rural Credit Cooperative Union in Hangzhou, China via a New York Bank of America account. And that successful remittance amounted to $1 million.

Dave Bittner: [00:03:16:01] It's worth noting that as was the case with 2016's raid on Bangladesh bank, the security issues appear to have been on the bank's end. And didn't represent a general compromise of the Swift system itself. The Bangladesh bank heist has generally been attributed to the Lazarus Group, the North Korean government hacking unit, but the City Union Bank fraud is so far unattributed.

Dave Bittner: [00:03:38:17] It's also not know who was responsible for 2017's SWIFT based raids on banks in Russia. That country's central bank said last week that cyber criminals made off with 339.5 million rubles, it's about $6 million, over the course of the year.

Dave Bittner: [00:03:56:03] It's ongoing charm offensive in PyeongChang aside, North Korea has continued cyber operations against it's customary targets. And according to a study by security firm, AlienVault, worms developed by the DPRK continue to circulate. Some are unsophisticated, some more so than others. And some have the appearance of developmental articles that got loose from their creators. These include WannaCry, of course, and also the Brambul family of malware that's been in circulation for nearly ten years. Two other worms that are out and about are Rivts and Faedervour, both of which have been served by North Korean news agencies. Rivts has been found in the voice of Korea website. Faederdour has infested the Korean news agency. Both of these appear to have initially hit targets within the DPRK. Faedervour is thought to be associated with the Dark Hotel threat group that's aggressively prospected government and business leaders who have some interest in North Korea.

Dave Bittner: [00:04:55:02] There are reports that a DPRK hacking unit has decamped from Hong Kong, and set up shop in the Russian far east. The Japan Times reports that a North Korean cyber ops group, formerly based in Hong Kong, has left the Chinese city in an apparent attempt to evade enforcement actions by Hong Kong authorities. They now appear to be operating from Vladivostok, and engage mostly in cyber crime designed to redress sanction induced North Korean financial shortfalls.

Dave Bittner: [00:05:25:03] On Friday the U.S. Justice Department announced an indictment based on Special Counsel Mueller's investigation of election influence operations. Three Russian organizations and 13 Russian individuals were charged with conspiracy and other crimes related to activities during the 2016 election cycle. St Petersburg's Internet Research Agency is alleged to have played a significant role in what it itself called, information warfare against the United States'. Their activities seemed to have consisted of a mix of conventional espionage and social media enabled propaganda. Among their more interesting accomplishments are alleged to have been the organization of political demonstrations, in which unwitting people depose to believe the worst of their opponents were induced to attend astroturfed rallies.

Dave Bittner: [00:06:12:22] During the election season their activities were directed against eventual democratic candidate, Clinton, first in support of her primary opponent, Senator Sanders, and then with a big push for her general election opponent, Donald Trump. After the election the Russian ops put on a couple of resist actions against Trump.

Dave Bittner: [00:06:30:10] Discord and mistrust were the overarching goals of the alleged Russian operation. Such operations are widely expected to continue. And apparently they are continuing - mid-term elections or no. There are reports of Russian trolls exploiting last week's Florida school massacre with various pro gun messages. When the opportunity arises, they can be expected to move to anti gun messaging. The goal isn't any particular policy but rather a weakened, confused and divided United States.

Dave Bittner: [00:07:00:14] The alleged shooter in that massacre, by the way, seems to have been a known wolf. Disturbed, alone and not apparently part of any movement. He is said to have disclosed his intentions in various social media. A person close to the alleged shooter called the FBI tip line on January 5th about him and in September of last year, a YouTuber also contacted the FBI about him. He had left a comment on a video saying, "I'm going to be a professional school shooter." But the January tip seems to have been particularly detailed and disturbing. Florida authorities say the Bureau failed to alert them to the danger and Florida's governor has called for the resignation of FBI Director, Wray. The FBI itself says it failed to follow proper protocol and that it's investigating how it handled the tips.

Dave Bittner: [00:07:48:12] The Bureau says it covered 'Cruz's gun ownership, desire to kill people, erratic behavior, and disturbing social media posts as well as the potential of him conducting a school shooting'. In fairness to the Bureau, which does indeed seem to have been supine in this case, local authorities dealt with a lot of red flags too. The Broward County Sheriff said his office had responded to about 20 calls about the shooter over the last few years.

Dave Bittner: [00:08:17:07] Finally, to return to Russian cyber operations, they're not all confined to propaganda. All Five Eyes, that is the intelligence services of Australia, Canada, New Zealand, the United Kingdom and the United States, have now looked at NotPetya and see the same thing. A Russian government operation. They received public industry support from FireEye which sees the work of the Russian Sandworm group in last year's pseudo-ransomware campaign.

Dave Bittner: [00:08:48:09] And now a message from our sponsors at E8 Security. We've all heard a great deal about artificial intelligence and machine learning in the security sector. And you might be forgiven if you've decided that maybe they're just the latest buzz words. Well no thinking person believes in panaceas, but AI and machine learning are a lot more than just empty talk. Machine learning for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is and machines are great at that kind of base-lining. For a guide to the reality and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at technologies that are both future promise and present pay off in terms of security.

Dave Bittner: [00:09:33:10] When you need to scale scarce human talent, AI and machine learning are your go-to technologies. Find out more at E8 security - follow the behavior, find the threat. And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:55:20] And I'm pleased to be joined once again by Rick Howard. He's the chief security officer at Palo Alto Networks. And he also runs Unit 42 which is their threat intelligence group. Rick, welcome back. We have touched on the notion of capture the flag contests and the importance of them. You have an event coming up soon partnering with the University of Alabama. So besides plugging them I thought maybe we would revisit this notion of the importance of these events.

Rick Howard: [00:10:22:18] Yes, you and I have talked before about the shortfall in open cyber security jobs. Some people predict that by next year there will be two million jobs open, meaning that the commercial and government organizations around the world have open jobs for cyber security positions but will not be able to fill them with qualified people. In order to help that we're experimenting with how you can get more people interested in cyber security. One way you might do that is with capture the flag contest.

Rick Howard: [00:10:52:05] It sounds easy, just train people and they can be cyber security people but it's a real problem and here's one of the issues; we're not hiring enough women and minorities into these cyber security positions. In the tech industry in general, women make up 25% of the workforce. If you look at cyber security specifically they only make up about 11%. If you add an identifier say a black woman or a Hispanic woman or a religion other than Christian, that number drops below 1%.

Dave Bittner: [00:11:24:06] It's not good numbers.

Rick Howard: [00:11:26:06] But even if you're not a diversity inclusion fan like I am, let's just say you're trying to fill some of your vacancies out there. If you are just being practical, in order to fill these two million jobs, you need to expand the potential poll of candidates. That means that at least half of your candidates have to come from the female gender, even I can do that math. [LAUGHS]

Dave Bittner: [00:11:49:07] Alright so let's get out there and hire more women. What's keeping us from doing that?

Rick Howard: [00:11:55:01] There's always a truth in the world where the problem is way more complicated than you think it is. It turns out that you have to get a lot of things right to be successful here. So first, you have to keep women and minorities that you already have employed, happy in your workforce. And you're happy that they're there. And what I mean by that is if the environment is toxic for whatever reason, you know, there's a bro culture or there's unconscious bias against women and minorities, or even if there's conscious and sanctioned bias against them, women and minorities are not going to stick around.

Rick Howard: [00:12:26:12] So we have to fix that issue. Second is that you have to develop a culture within your own organization that is pro diversity and inclusion for when you want to hire new employees. That means that leadership of your organization has to stand up and sing that the diversity and inclusion is an important part of the company culture. Not only because it's the right thing to do, but because a more diverse group gives us better ideas about how to solve the company's problems. This is a leadership thing and more old white guys like me need to stand up and own this stuff.

Dave Bittner: [00:12:59:04] And lastly, this is the hard part, you have to hire qualified people. I am not suggesting that you have to lower your standards to hire these employees that you want. What I'm saying is if you're hiring for an open position and if you are wading through a stack of resumes, if at least half of those candidates are not women or minorities, you're doing it wrong.

Dave Bittner: [00:13:19:09] Okay so but let me play devil's advocate here and how about getting women into the pipeline. Women in minorities, I've heard hiring people say, I'd love to hire these people but I'm not getting the resumes on my desk.

Rick Howard: [00:13:32:15] I just don't accept that notion. The CyberWire helps out with the women in tech conferences. I attended the Greatest Hopper conference last year; they claim it's the largest gathering of female technologists on the planet. And I've got to tell you, I couldn't collect resumes fast enough because there were so many talented women there. But it is true, too many young women, sometime between their junior high and high school years, they tend to lose interest in STEM subjects. I had to look it up because I always say the word STEM but I can never remember the acronym. It stands for science, technology, engineering and math. So a community, we don't really understand why that happens that well but you can't really argue that isn't happening. One potential solution is to find ways to keep young women, as early as elementary school, engaged and inspired by the cyber security field before they start to lose interest, because it's really tough to capture them again once they've walked away. So what many are trying to do and what we're doing in the next couple of weeks is organize cyber events for young people. The idea is capture their interest early and keep them interested.

Rick Howard: [00:14:43:23] So we're hosting one on February 24th at the University of Alabama at Birmingham. We're running a capture the flag contest organized by the school's grad students. They have some 20 high school teams participating and Palo Alto Networks is giving away $20,000 of scholarship money for the winners.

Dave Bittner: [00:15:01:21] So help me understand here, why Palo Alto feels that this is a good place to invest this kind of money?

Rick Howard: [00:15:08:24] It seems small. In 2018 it's not that big but here's the thing, there are hundreds of these cyber events going on in the country right now. And that must mean that everybody thinks it's a good idea is why I bring this up. Here's a problem that I've noticed, that we’re all stovepiped. No one group is talking to everybody else. It's tough in that environment to judge what is working on a national and international scale and what is not. I think this is a perfect thing for government agency, maybe DHS, to get behind. Organize a national, cyber event program where we could collect everybody under one umbrella. I don't mean they own everything. I just mean everybody is part of this big organization so we can figure out what resources are needed, we could collect some stats and we could share what's working and what's not. This is one way we can scale the effort.

Dave Bittner: [00:16:00:02] I've heard from the people who do the hiring that these capture the flag contests are ways for people to differentiate themselves on the resume side.

Rick Howard: [00:16:09:04] You can definitely pick out the talent. We've done this one at the University of Alabama. This is the second year we've done it. When we did it last year you can definitely say, oh, I want to get that guy's information or that person's information because they're going to be talented and going to be great for us going forward.

Dave Bittner: [00:16:24:15] All right Rick. Well good luck with the event, it's coming up at the University of Alabama. We hope you get lots of people come out for it.

Rick Howard: [00:16:31:06] Thank you sir.

Dave Bittner: [00:16:34:08] And that's CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor E8 Security, follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:16:56:12] Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future podcast which I also host. The subject there is threat intelligence and every week we talk to interesting people about timely cyber security topics. That's at

Dave Bittner: [00:17:24:18] The CyberWire podcast is proudly produced in Maryland out of the start up studios of Data Tribe where they're code building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.