The CyberWire Daily Podcast 3.23.18
Ep 562 | 3.23.18

US indicts Iranian hackers. Guccifer 2.0 is a GRU Bear. Atlanta hit with ransomware. Equifax breach cost consumers plenty. Facebook's troubles persist, as do Cambridge Analytica's.


Dave Bittner: [00:00:01:01] A quick reminder that if you're attending the RSA conference this year, be sure to stop by in the North Hall to the Akamai booth, that's N3625, where I will be appearing daily doing meet and greets and some interviews as well. And of course, we thank Akamai for making these appearances possible. That's Akamai harnessing the cloud, without losing control. Hope to see you there.

Dave Bittner: [00:00:24:06] Iranian hackers are indicted. Guccifer 2.0 is fingered as a GRU team. Inquiries into their activities are folded into Special Counsel Mueller's investigation. Atlanta, Georgia's been hit with ransomware. A study estimates the direct cost of the Equifax breach to consumers. App stores show a decline in malware infestations. Facebook leaders speak, finally, but do little to ease the company's pain. An FTC inquiry could be costly. The Cambridge Analytica affair will have implications for regulations, marketing, and consumer trust.

Dave Bittner: [00:01:02:12] Time to share some words from our sponsor, Cylance. Are you headed to RSA? Don't forget to look up Cylance while you're there. Drop by booth 3911 in the North Hall and meet up with their expert professional services staff, or attend one of their featured conference sessions. If you're in a festive mood, you can connect with them at the digital shadow security leaders party.

Dave Bittner: [00:01:23:00] Wherever you make your connection, they look forward to talking with you. You can ask them about AI and machine learning, or ask about their industry leading research into threat actors who threaten our power grid. You can learn more about their presence at RSA, by searching Join Cylance at RSA Conference 2018. And we thank Cylance for sponsoring the CyberWire. That's, Join Cylance at RSA Conference 2018 and be sure to connect with the company that's making a difference in security. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:02:01:09] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe. I'm Dave Bittner with your CyberWire summary for Friday, March 23rd, 2018.

Dave Bittner: [00:02:13:08] This morning the US Justice Department announced that it had indicted nine Iranians for a multi-year cyberespionage campaign they conducted while working for the Mabna Institute, an innocent-sounding organization that works on behalf of the Islamic Revolutionary Guard Corps. The Mabna Institute is also named as a defendant. Charges include conspiracy to commit computer intrusions, wire fraud, unauthorized access of a computer and aggravated identity theft. The campaign was a multi-year operation. It began in universities, where the defendants are alleged to have phished about 100,000 professors in some 300 universities worldwide, 8,000 of them took the bait. The attackers are said to have extensively prospected university databases for technical information. They then extended their campaign to corporations and government offices using "low-and-slow" password spray attacks, an approach that's easily overlooked by defenders.

Dave Bittner: [00:03:12:18] The Islamic Revolutionary Guard Corps, essentially the Iranian government, has both used and sold the data and intellectual property they've stolen. The indictments and the accompanying Treasury Department sanctions will, the US hopes, serve to impose consequences on the attackers. It's unlikely any of the individuals indicted will face American justice, but of course they will find travel to countries that have extradition treaties in place with the US uncomfortable to the point of impossibility. US organizations were not the only ones affected. Victims were found in some 21 countries worldwide.

Dave Bittner: [00:03:51:04] Turning to that other nation-state cyber no-goodnik, you'll recall Guccifer 2.0? The notional hacktivist who doxed the Democratic National Committee with some enforced transparency of less-than-creditable internal emails? He's back in the news, and he's no hacktivist at all. He's GRU. This has long been widely believed and now appears to be confirmed. The threat actor originally posed as a Romanian hacktivist, but that didn't hold up under either journalistic or linguistic scrutiny. It was difficult to track Guccifer 2.0 because of his use of Elite VPN, an anonymizing service headquartered in Russia but with an exit through a server in France. On at least one occasion, however, Guccifer 2.0 forgot to activate the VPN client before logging in, and his IP address led to Moscow and the GRU. The Daily Beast reports that Special Counsel Mueller has brought the FBI agents who worked on Guccifer 2.0 into his investigation. Some political advisors to the Trump campaign had swallowed Guccifer 2.0's claims to be a disinterested hacktivist, and had some Twitter encounters with him. We say him for convenience, it could also have been her, of course, but them is most likely.

Dave Bittner: [00:05:05:09] At one point the Guccifer 2.0 persona was handed over to an operator with better tradecraft and English proficiency than the original, perhaps he should be known as Guccifer 2.0.1. But, as we hear so often, "cybersecurity is a team sport," and that's true whether you're playing offense or defense. It's also worth noting that Guccifer 2.0 shouldn't be confused with the original Guccifer, Marcel Lazăr Lehel, an actual Romanian hacker who's now serving time in the US for his 2012 to 2014 one-man cyber crime wave. The GRU's homage to Marcel was misdirection. And, even though we're neither the Illuminati Guccifer 2.0 claimed to be hunting nor the Wealthy Elite that are the Shadow Brokers' preferred quarry, we await a similar discovery about the Brokers, who've been quiet now for some time. Their style seems maybe more FSB than GRU, but we suspect these roads still lead back to Moscow. The Heckawi lingo shouldn't fool anyone, not even you, Wealthy Elite.

Dave Bittner: [00:06:09:21] The city of Atlanta, Georgia, confirmed yesterday that a ransomware attack has disabled a number of citizen-facing services. It's unknown so far exactly what's been affected, or how recovery is expected to proceed.

Dave Bittner: [00:06:23:13] KrebsOnSecurity reports that a study by Wakefield Research has put a retail price tag on the Equifax breach. American consumers spent some $1.4 billion on credit freezes after the credit bureau disclosed that it had lost a vast trove of personal information.

Dave Bittner: [00:06:41:11] Security firm RiskIQ has some good news about app stores. They note that the occurrence of malicious apps has declined by 37 percent, largely because of a decrease in Android malware inventory.

Dave Bittner: [00:06:55:08] The European Union's General Data Protection Regulation (GDPR) will be fully implemented just two months from now, on May 25th. Security firms see a need and seek to fill it. Data-privacy-officer-as-a-service offerings have proliferated. GDPR has certainly spooked the market, and many firms will no doubt conclude that they should obtain the services of a data privacy officer the way they obtain the services of an attorney. Don't try to develop the expertise in-house, but rather go outside for it.

Dave Bittner: [00:07:27:11] Heavy US tariffs imposed on Chinese tech imports are seen as a form of reprisal for cyberattack, specifically for cyberattacks that steal intellectual property.

Dave Bittner: [00:07:38:22] Britain's European allies prepare to expel Russian diplomats in solidarity with the UK over the attempted assassination of Sergei Skripal. Latvia, Lithuania, and Estonia are moving first, with Poland, Germany, and France expected to follow suit soon thereafter.

Dave Bittner: [00:07:56:21] Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg are receiving little love for their public handling of the Cambridge Analytica data affair. As WIRED magazine puts it, Mr. Zuckerberg waited either five days or two years to make a public statement about the matter, depending on how you look at it. Both would seem to be too late. Ms Sandberg has finally leaned in with some public comments of her own, saying that the social media giant would "be open to regulation", but this stop-me-before-I-sell-your-data-again plea is also receiving tepid reviews. A number of observers have commented that Facebook's business model is surrounded by a bodyguard of shifting EULAs, and that's not a good thing. It may well be that the EULAs as we've known them go the way of the hold-harmless clauses, the ones that say, you do this thing we're offering you at your own risk, which pretty much don't hold up in court for anyone expect ski resorts.

Dave Bittner: [00:08:54:18] Facebook is under investigation by the US Federal Trade Commission, a famously willful and rapacious regulatory body. The FTC wants to determine whether Facebook violated an earlier consent decree that required Facebook to obtain users' permission before it shared their data. If Facebook is found to be in violation of that consent decree, it could face fines of $40,000 per violation. You do the math. $40,000 dollars is petty change for Facebook, but that figure, we stress, is per violation. Quantity has a quality all its own.

Dave Bittner: [00:09:29:16] In the UK, suspended Cambridge Analytica CEO Alexander Nix is back in Parliamentary hot water. He's being recalled to testify before a panel investigating fake news. Westminster has decided it's dissatisfied with some of the things Mr. Nix has told it before, and it would like some clarification. A great deal of the odium surrounding the firm's activities derives from the nastiness of its own self-image. We've noted before Mr. Nix's uncanny visual resemblance to characters in the Kingsman movies, but it seems unlikely that Kingsmen would have done so much wallowing in fantasies of blackmail and entrapment. There are reports that Cambridge Analytica was engaged in political consultation of this kind in both Nigeria, St. Kitts, and Nevis.

Dave Bittner: [00:10:16:22] Fairly or not, the episode is likely to have profound effects on online marketing. The market is already punishing Facebook as advertisers withdraw from the social media platform. Apple's Tim Cook has for a number of years said, with a sideways glance at Silicon Valley neighbors Google and Facebook, that if you're not paying for the product, you are the product. People haven't, in general, minded that bargain because they liked the value the free services offered. That may be about to change.

Dave Bittner: [00:10:50:21] And now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operation and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of threat connect to broaden and deepen their intelligence. Validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions. With ThreatConnect, your team works as a single cohesive unit, reinforced by a global community of peers. To register for a free ThreatConnect account, or learn more, visit That's, to learn more. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:12:06:00] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Help and Homeland Security. Ben, welcome back. We saw a report come by via Reuters that the US Consumer Protection officials have put the Equifax probe on ice. What's going on here? Why would the Consumer Protection officials dial this back?

Ben Yelin: [00:12:29:23] So, back in September we found out that Equifax had been breached, that hackers stole the personal data of approximately 143 million Americans, which, just to put that in context, that's about one half of the people that live in this country. So it's a plethora of information, and it's obviously deeply personal information. When we give information to these credit reporting bureaus, it's everything from social security numbers, bank accounts, credit card accounts. I mean it's some of our most personal and protected data. So obviously this was a massive breach, and the leadership at the time of the Consumer Financial Protection Bureau, which was created as part of the Dodd-Frank Act in 2010, was seemingly very concerned about it and started an investigation to see what went wrong, to sort of do some testing on some of the systems to make sure that it doesn't happen again.

Ben Yelin: [00:13:28:08] The head of the Consumer Financial Protection Bureau, a guy by the name of Richard Cordray, who was appointed by President Obama, he resigned at the beginning of November. He's actually running for Governor of Ohio, and there was a bit of a legal dispute about who his replacement would be. The law is rather unclear on the subject. The president appointed the Head of the Office of Management and Budget, Mick Mulvaney, to be the temporary chair of the Consumer Financial Protection Bureau. Courts affirmed that he was the legal head of that program, so he has resumed authority over these past few months, and according to these sources quoted in the Reuters article, he's sort of let this Equifax investigation wither on the vine.

Ben Yelin: [00:14:13:13] Now, we don't exactly know what the motivations of that are. There are certainly legitimate questions about whether the Consumer Financial Protection Bureau, as opposed to other federal agencies, like the FTC, should be the ones conducting this investigation, but I think if we look broadly at the politics involved in here, Republicans have long been skeptical about the Consumer Financial Protection Bureau. They think it's too harsh on the industry players and think that it could have a negative affect on our, our system of commerce. So they've sort of long been against this, this program's existence and now that one of their own has taken it over, I think he's taking a step back, sort of curtailing the more aggressive activities of his predecessor. is concerned, that's a major problem. We need to make sure that we're using all of our institutional power to make sure this type of attack never happens again, because half of all Americans have had their personal data breached. So I think it's a worrisome development.

Ben Yelin: [00:14:59:22] And you know, as far as the poll is concerned, that, that's a major problem. We need to make sure that we're using all of our institutional power to make sure this type of attack never happens again, because half of all Americans have had their, their personal data breached. So I think it's a, it's a worrisome development.

Dave Bittner: [00:15:20:06] Yes, it's a real head scratcher. A breach this size, it just doesn't seem to me like there'd be a significant political constituency who would be forgiving Equifax a break on this one.

Ben Yelin: [00:15:32:11] Yeah, I mean I don't think there really is. This is sort of all happening under the radar, while we're focusing on, you know, the President's latest tweets, or some of the other high profile legislator fights. I mean it's not just this Equifax investigation that's withered on the vine. I think Director Mulvaney has put basically a moratorium on all activities inherent in the Consumer Financial Protection Bureau. He wants to better understand what's happening at the Bureau, what it's powers are, you know, so that he can fully understand the job. But it's certainly lost some of the teeth that it had under its previous director, Richard Cordray.

Ben Yelin: [00:16:06:09] And I think, you know, a lot of agencies, their level of involvements, their level of, you know, how much they care about certain political problems, changes when the political party of the administration changes. And I think that's what happened here. We've just seen an administration that's hostile to these types of regulations on business. They now control the agency and I think, you know, the rest of us are going to be facing the consequences of their inaction here.

Dave Bittner: [00:16:34:04] Ben Yelin, as always, thanks for joining us.

Ben Yelin: [00:16:36:24] Thank you.

Dave Bittner: [00:16:42:01] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news, there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99%, you're still a target for 1.2 million pieces of malware. If you do that math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight, kernel level container, where the malware's rendered useless. With Comodo's patented auto containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, I got 99 problems, but malware ain't one. Go to to learn more and get a free demo of their platform. That's and we thank Comodo for sponsoring our show.

Dave Bittner: [00:17:58:11] My guest today is Kevin Haley. He's a director at Symantec Security Response. And he joins us to discuss their latest research report, ISTR23, Insights into the cybersecurity threat landscape. It's the latest version of Symantec's annual look at cybersecurity threats.

Kevin Haley: [00:18:16:07] Probably the thing that really jumps out this year is what we're calling an explosion in cryptojacking, an 8,500% increase. And that really just started in the, in the fall and the winter. Cryptocurrency prices started to go up. Bad guys saw an opportunity and so they began to, instead of buying their own rigs, and paying for their own electricity, decided to use yours and mine in order to mine for, for coins. So that's clearly there's been a lot of incidences have made the news, and so far this year, it's something we expect to see continue for the rest of the year. And as long as cryptocurrency prices remain high, people will look to borrow somebody else's resources to mine them.

Dave Bittner: [00:19:06:21] Now another thing that you all highlighted in the report was a spike in software supply chain attacks. Can you describe that for us?

Kevin Haley: [00:19:13:09] Sure, probably the simplest way to think about it is the bad guys will insert their malware into the software update, from one of your software vendors. Best practices, you need to keep your software up to date, so you download the latest release, you install it on your system, it works fine, but you've also installed the bad guys malware as well. We'd talked about this back in like 2014, a group called the Dragonfly was doing it. They've been in the news recently. They're still out there trying to break into energy industry companies and understand how the factories work, how all the systems work, so they could take over if they want.

Kevin Haley: [00:19:54:09] And it seemed like kind of a one-off, and every now and then you hear about this happening again. In fact, there was the Petya, this year, also CCleaner, where bad guys inserted themselves into software updates to get into organizations and people tend to think of it as a one-off. We really wanted to make the point this year that this is not just that one you read in the paper. This is ongoing. We saw at least one of these types of attacks every month in 2017, a 200% increase from the year before. Organizations have to take this seriously. This is, this is not an aberration. This is not a one-off, and they need to start having that conversation with their software vendors. What are you doing to protect me?

Dave Bittner: [00:20:37:12] Now you also saw some shifts when it comes to ransomware.

Kevin Haley: [00:20:41:11] Yes. I mean first off, well you could say well ransomware had a huge year. Well, well if you look at Petya and WannaCry. And of course, in the Petya case, it wasn't really ransomware, it was looking to destroy computers, but to hide that fact behind pretending to be ransomware. If you take those two threats out, what you see is that the market has kind of leveled off. Ransomware has, has stopped that, that huge growth. And we think that there's a couple of reasons for that. Maybe the simplest explanation is market correction. In 2016, we saw a lot of new gangs get into ransomware. They saw an opportunity to make money, kind of like cryptojacking is now. They wrote their ransomware and they got into the business. And, and they knew they could make a lot of money. They all placed their product very high. The ransom demands that went up on average were $1,000.

Kevin Haley: [00:21:37:12] And what happened is, there are too many products in market and they were overpriced. So these, these ransomware guys are out there and they're asking way too much money and people couldn't, even if they wanted to, they couldn't pay that much money to get their files, their photos back. So these cyber criminals weren't making as much money as they thought and they've kind of left the marketplace.

Dave Bittner: [00:21:59:19] And you also saw some changes when it comes to, or I guess some persistence when it comes to targeted attacked.

Kevin Haley: [00:22:06:07] Yeah, we did something interesting this year. I mean we've done research into target attacks, what they're doing, how they do it for, you know, for numerous groups. But we decided to take a bit of an analytical approach this year and kind of create some stats, and the reason we could do that is there are so many targeted attack groups at this point. We're tracking 140 different groups. It seems to grow on average of about 29 new groups every year, so there's a lot of them out there.

Kevin Haley: [00:22:35:01] Probably one of the most interesting findings from looking at it that way is that 71% of these groups are still using spear phishing as a way to get into an organization. You have watering hole attacks, you have these supply chain attacks, you have zero day vulnerabilities. They're still using spear phishing. It's cheap, it's efficient, it just works. In fact, not that many groups use zero days. We think that they're expensive, they have a short shelf life, and why are you bothering with that when you can go do one of these spear phishing attacks and it works just as well.

Dave Bittner: [00:23:14:11] And you're also seeing a continued surge when it comes to mobile malware.

Kevin Haley: [00:23:18:18] Right, mobile malware is something that I think is, is sneaking up on us. You know, there was a number of vendors, vendors who rush out and say well hey, this year is the year of mobile malware, and, and it never exploded. So we never got it, right this thing never blew up. But what it did was to steadily climb every single year. We saw a 54% increase in the number of mobile malware variants, that's new pieces of malware for mobile. It's still not at the same numbers as PCs, but it has consistently grown year after year and it's time we take it serious. We can't wait for that explosion to start addressing this problem. It's already here. It's crept up on us.

Dave Bittner: [00:24:06:01] Now when you look at the report overall, and the results that you've gotten from it, what sorts of advice do you have for folks who are looking to, you know, develop their strategies as we look over the next year or so to defend themselves?

Kevin Haley: [00:24:19:07] Well, one of, one of the first things that, that jumps out at me is when you look at cryptojacking, is it attacks every type of device. We saw an 80% increase in attacks against Mac last year, you know that, that, that platform that doesn't get viruses. Well it does, not as many as Windows, but it saw a huge increase, because it's susceptible to cryptojacking just like other, other systems. We saw a 600% in attacks against IoT devices. Now, those weren't all crypto mining, but they're very vulnerable devices. There's a lot of them. You can build a huge botnet, and you may not get a big payoff in mining on any single one, but if you have a million of them, you can do some damage. So the message I'd take away is, yeah, all these devices need to be protected. You need to, you need to step it up in all these areas. It's unfortunate, things never seem to get easier, but that's the world we live in.

Dave Bittner: [00:25:17:05] That's Kevin Haley from Symantec. The complete report ISTR23 Insights into the Cybersecurity Threat Landscape, can be found on the Symantec website. It's in their blog section.

Dave Bittner: [00:25:30:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you, through the use of Artificial Intelligence, visit And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:25:52:10] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.