The CyberWire Daily Podcast 2.26.18
Ep 543 | 2.26.18

Olympic hacking—false flags and attack infrastructure. Cryptojacking. Smartphone security bans. Heraldic animals of hacking.


Dave Bittner: [00:00:00:19] Just a quick reminder that there are several ways you can help spread the word about The CyberWire, you can leave a review for us on iTunes, or you can just tell your friends, spread the word on social media with your colleagues at work. We do appreciate it. Thanks.

Dave Bittner: [00:00:16:14] Anonymous US Intelligence sources call the Olympic hacks a Russian false flag operation. More Cyber attacks are expected from the infrastructure set up to hit the Games. Calls for international norms for cyber conflict rise. CrowdStrike's Global Threat Report sees proliferation and commodification of attack tools. An ad network serves a cryptojacker. Are they malicious smart phones or just a trade war? And, a scorecard for hacking heraldry.

Dave Bittner: [00:00:49:00] I'd like to share some words about our sponsor, Cylance. You know you've got to keep your systems patched, right? Patching is vital. And WannaCry, which hit systems that hadn't been patched against a known vulnerability, well, that's exhibit A. But you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room if you went for modern endpoint protection. Think about protecting the end points from the threats you never see coming. Cylance endpoint security solutions will do exactly that - fend the bad stuff off and do your patching quickly but systematically. It's artificial intelligence and it's a natural for security. Check out the Cylance blog, Another Day Another Patch, at We thank Cylance for sponsoring the CyberWire.

Dave Bittner: [00:01:49:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, February 26th, 2018.

Dave Bittner: [00:01:59:11] Anonymous sources in the US Intelligence Community are telling The Washington Post, and others, that Russia's GRU was responsible for the hack that marred the Pyeongchang Winter Olympics' opening ceremonies. The US sources also assert that it was a false flag operation intended to look like a North Korean hack. The GRU accomplished this through some code reuse, use of North Korean IP addresses and some scattered Korean language cues.

Dave Bittner: [00:02:25:24] If this is indeed a false flag operation two things are noteworthy, first, the imposture was pretty thin because suspicion fell almost immediately on Russia as private sector security firms commenting on the incident noted that it had the hallmarks of a Russian operation. Second, the GRU, Russia's military intelligence service, is well known as the lair of Fancy Bear, Fancy Bear, an apparent retaliation for anti-doping sanctions against the Russian team, had begun doxing the international Olympic Committee and individual non-Russian athletes late last year.

Dave Bittner: [00:03:02:19] For those interested in the probably organization charts, the GRU operators are believed to work in the agency's Main Center for Special Technology. They are the same outfit generally denounced last week as responsible for last year's NotPetya pseudoransomware campaign.

Dave Bittner: [00:03:20:09] Observers think that those who hacked the Olympic Games' sites also succeeded in establishing persistence in the victim's networks. They had gained access to a number of routers and they are expected, by many, to use the infrastructure established for the games in future attacks against other targets.

Dave Bittner: [00:03:38:04] The International Olympic Committee is reviewing Russia's behavior this week with a view to possibly reinstating the country's national team as an official participant in the Olympics. The main issue is doping, but it's reasonable to expect the hacking may also figure in their deliberations. Olympic hacking, it's good to recall, goes back to Rio 2016, or even, if you count the bogus Ku Klux Klan leaflets the Soviet security organs printed and distributed to scare people away from Los Angeles in the pre-internet days of 1984.

Dave Bittner: [00:04:10:04] Pyeongchang, with its hacks and doping scandals, is now in the books. But tomorrow is another day. Russian athletes were permitted to compete as individuals under the non-flagged, non-anthemed collective called Olympic Athletes From Russia, or OAR. The OAR designation and restrictions didn't prevent the athletes, formerly known as the Russian Hockey Team, from belting out the Russian national anthem on the podium, so there, IOC. Nor, alas, did it completely inhibit doping. One of those popped for doping during the games tempted fate by sporting a sweatshirt emblazoned, in English, with "I don't do doping, I am za sport."

Dave Bittner: [00:04:50:00] We note that the shirt was in the Russian red white and blue, which colors the IOC wished the athletes, formerly known as the Russian team, to avoid. Those colors were okay for other teams, of course, France, Slovakia, the Czech Republic, Slovenia, the US, the Netherlands, and even the UK, albeit expressed with the crosses of St. George and St. Andrew, and so on. So, in our view, the IOC should expect more doxing.

Dave Bittner: [00:05:15:23] Sport hacking is vexing, particularly to fans, participants and other interested parties, but, of course, many more serious varieties of state sponsored cyberattack have become common. Sentiment in favor of some sort of international, peaceful agreement in cyberspace grows, especially in the tech industry. There are calls for a truce to limit cyber conflict.

Dave Bittner: [00:05:37:11] Unfortunately, such treaties are unlikely to do much more than afford a background against which it might be possible to blame and shame. Given the notorious difficulties of attribution, even when state agents are as noisy and heedless of detection as Fancy Bear, even this hope maybe a forlorn one.

Dave Bittner: [00:05:55:09] Another challenge to the limitation of cyber warfare is noted by CrowdStrike's 2018 Global Threat Report, issued this morning. Attack tools have become commoditized and less capable states are gaining access to code that would have been beyond their ability to develop and deploy as recently as a few years ago. And the report notes commodity criminal tools are also being repurposed by states and redeployed as cyber weapons.

Dave Bittner: [00:06:22:02] There are strong economic and industrial policy forces working to exacerbate cyber tensions, if Chinese smartphone manufacturers are to be believed. Australia's defense department has joined its US counterparts in banning Huawei and ZTE phones as security risks. Huawei sees the bans as moves in a larger trade war prompted by industry fears of the Chinese company's potential to dominate the market.

Dave Bittner: [00:06:48:13] Biology is more and more intersecting with the digital domain with genomes being decoded, automation in drug development, disease surveillance and food production and safety, but, with these new capabilities come new risks. Randall Murch is research lead and professor of practice at Virginia Tech, and he's heading up an effort to understand the complex issues of cyberbiosecurity.

Randall Murch: [00:07:11:19] Cyberbiosecurity is an emerging new discipline that really tries to bring together the world of cyber and the world of bio, and it's broadly based, and then also with the security components. So, we've actually crafted a definition which is, it's morphing as we talk, but very quickly, it's developing understanding of the vulnerabilities to unwanted surveillance, intrusions, malicious and harmful activities, which can occur within or at the interfaces of co-mingled life sciences, and that includes medicine, cyber physical and infrastructure systems. What we're seeking to do is developing measures to prevent, protect, mitigate, investigate and attribute those threats.

Dave Bittner: [00:07:57:19] So that's the explanation. Can you give us some real world examples of where these things intersect and how it might affect us?

Randall Murch: [00:08:03:12] First of all, the life sciences are heavily dependent on collection of large amounts of data, that's basically IT-enabled. That data is then exploited by advanced computational methods, increasingly AI. Some of that data is particularly sensitive when it relates to somebody's personal health, all the way down to their personal genomics, and so that data is moving around in the cloud, and that data is not secured.

Randall Murch: [00:08:32:04] Two, might be if a company is building a new therapeutic or vaccine to something on an infectious disease or a chronic disease, and wants to maintain their competitive advantage because they've invested lots of money into this. They want to protect their investment so a protection against theft of intellectual property would be another example. Another might be over an agriculture and food systems where drones are used for field disease surveillance and monitoring crops and so forth. Those drones obviously have communication links that are not secure, and if they are corrupted that drone may not be as effective as it's intended to be.

Randall Murch: [00:09:15:08] Another is in area process control, so in biomanufacturing. On a small scale there are more humans in the loop with some IT-enabled support, such as the cyber physical interfaces in fermentation, when you're growing up a microbe that's producing a product of interest. And as you scale up and including in big biomanufacturing there's less human intervention and more automation.

Dave Bittner: [00:09:43:15] We hear these stories related to privacy with people getting their DNA tested, and then the DNA testing companies claiming rights to your DNA, things like that. Is there a sense that people are giving up this data without really knowing what the long-term consequences might be?

Randall Murch: [00:10:03:06] I think that is true, and also, it's one thing for a company to have a legal arrangement with you, that you're going to provide the DNA and they're going to analyze the DNA and provide you with some set of results that you're interested in, but also, then what happens to the DNA when they hold onto it is kind of where you were going with that. But, if, for example, you have a situation, which is actually occurring now, where a company, let's say some kind of organization or entity in the US, outsources the analysis of DNA, whether it's from an electronic health records perspective, or a personal genomics perspective, they can actually use that, and they may be playing by different rules than we have with respect to what can be done with the DNA information, and also how it's protected for privacy purposes.

Randall Murch: [00:11:04:07] So, imagine, for example, the personal genomics, let's say of a military unit, something like that, or one of our military units was stolen, if you will, and it was then fully analyzed, and an adversary really understood what the attributes and limitations for performance or vulnerability to disease, or something like that, you can imagine that there'd be a significant advantage to an adversary as they look at us, that we're a threat, and what they might do with that. Obviously, another one would be if an entity, let's say it's our Department of Defense or some other country's military enterprise is investing in biotherapeutic or a vaccine for an infectious disease, or something, and the adversary understands what the strengths and weaknesses are and builds capabilities around that to avoid that antimicrobial vaccine or whatever it is.

Dave Bittner: [00:12:08:19] That's Randall Murch from Virginia Tech. You can learn more about their efforts in cyberbiosecurity on the Virginia Tech website.

Dave Bittner: [00:12:17:06] In cyber crime news, researchers at security firm Qihoo 360 NetLab say an unnamed ad network installs cryptojackers via advertising it serves on its customer's sites. It's using a domain generation algorithm to evade ad blockers.

Dave Bittner: [00:12:34:17] T-Mobile patches a bug that could have enabled customer account hijacking through the company's website. Whether the vulnerability was actually exploited is unknown.

Dave Bittner: [00:12:44:15] In industry news, PhishMe has been acquired by a consortium of private equity investors for a reported $400 million. The company will rebrand itself as Cofense, the better, it says, to reflect the range of its offerings.

Dave Bittner: [00:12:59:20] Finally, to return to CrowdStrike's 2018 Global Threat Report, we note that the security firm has compiled a useful scorecard that lets you know your hacking animals: Bears are Russian; Chollimas, mythical winged horses, a kind of Sino-Korean Pegasus, are North Korean; Jackals are hacktivists, which seems to say something about CrowdStrike's low view of this category of threat actor; Kittens are Iranian, Persian cats, right? Leopards are from Pakistan; Pandas are, naturally, Chinese; Spiders are cybercriminals; and Tigers come from India. So there you go. But we think no nation should be left behind, people should think up animal names for threat actors belonging to other nations. Consider starting with the Five Eyes, for example, they deserve some love too.

Dave Bittner: [00:13:49:18] Australia seems obvious - the Kangaroo, especially since the wombat is already taken by some guys from Pittsburgh. But you could also go with a kookaburra, New Zealand is probably going to have to be a kiwi, Canada offers a couple of good options, but we'd pick the lucky loon over the bluenose beaver. The UK should be maybe a lion or a unicorn, or both. The US is difficult, the eagle is pretty obvious - too obvious, maybe. Local pride suggests that maybe Maryland's state reptile, the diamond backed terrapin would be a good animal for America. Equation Group is sort of bland, don't you think? Shadow Brokers. Why not Terrible Terrapin? Topper Turtle? Dapper Diamondback? Well, we'll leave this as an exercise for our listeners.

Dave Bittner: [00:14:35:18] Let us know what you think.

Dave Bittner: [00:14:41:20] Now a moment to tell you about our sponsor, ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at We thank ObserveIT for sponsoring our show.

Dave Bittner: [00:15:48:00] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, good to have you back.

Joe Carrigan: [00:15:54:09] It's good to be back, Dave.

Dave Bittner: [00:15:55:16] We've been hearing these ongoing stories about people leaving things in AWS buckets and Amazon web service containers, and that you were having the misconfigured, or just not having the proper security settings on them.

Joe Carrigan: [00:16:10:01] Right, the most recent one being the Red Disk - a virtual disc that was up in Amazon, just completely unprotected, from the department of defense.

Dave Bittner: [00:16:18:12] Right. I don't think people are intentionally leaving things out in the open, or do you think that they're just relying on security by obscurity?

Joe Carrigan: [00:16:29:06] Yeah, I don't know. It could be that somebody put it out there intentionally, but I think that the much more likely explanation is that somebody put it up there going "nobody's ever going to look here." Somebody's going to look there. Wherever there is on the Internet, somebody's looking. It's just a fact of life, and there is no such thing as security through obscurity because there are a lot of people who spend time looking for these kind of things out there that are just available and open. So if you have something out there that's available and open and you put something, as a matter of convenience, up so you can get to it from another place without having to authenticate, you're not the only one doing that, somebody else is going to do that.

Dave Bittner: [00:17:09:13] And they're doing it in an automated way, right? I mean, no-one's manually poking around.

Joe Carrigan: [00:17:14:13] Yes, they're not manually poking around, there are tools out there that you can script these things that go out and look, and if they get a response from a web server or some Amazon site out there that says, hey, there's some interesting things here, then they'll go in and manually look around.

Dave Bittner: [00:17:29:20] It also strikes me how often there seems to be third parties, where it's a contractor, or with someone who was trusted with the data who sticks it somewhere, again for convenience, and it's hard to know how you control that.

Joe Carrigan: [00:17:43:15] There are controls in place for how you're supposed to handle classified information. And I believe this Red Disk leak falls under those guidelines. So, this is clearly somebody mishandling this, in my opinion. Are they being malicious? I couldn't say. In fact, if I had to guess I'd say probably not.

Dave Bittner: [00:18:04:09] What's that old saying? Never assign malice to something that could be explained with incompetence or laziness.

Joe Carrigan: [00:18:12:11] That's exactly what I'm saying.

Dave Bittner: [00:18:14:19] I guess the lesson here is, number one, don't assume that you can just stick something somewhere on line and that no-one will find it.

Joe Carrigan: [00:18:22:15] Yes, because somebody will find it.

Dave Bittner: [00:18:24:09] Those days are over. But also, when you're configuring these things, you need to make sure, double check, have someone maybe watching your back?

Joe Carrigan: [00:18:33:20] Right, lock them down, audit them, that's a good way to say it.

Dave Bittner: [00:18:35:23] Right, audit them. Excellent advice as always, Joe Carrigan. Thanks for joining us.

Joe Carrigan: [00:18:40:03] My pleasure.

Dave Bittner: [00:18:43:09] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security, follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:19:04:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:19:14:17] Our show is produced by Pratt Street Media, with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.