The CyberWire Daily Podcast 6.27.18
Ep 629 | 6.27.18

DDoS attack on ProtonMail. Rancor cyberespionage campaign. PythonBot serves ads and a cryptominer. EU joint cyber response unit forming. Arrests in BEC campaign. Reality Winner's plea.


Dave Bittner: [00:00:03] ProtonMail's been hit by Apophis Squad DDoS. RANCOR cyberespionage campaign is observed in Southeast Asia. PythonBot serves up adware and cryptojacking. A WannaCry-themed protection racket is all bark and no bite. The EU's organizing a joint cyber incident response force. The FBI and international partners make arrests in an Africa-based business email compromise racket - and Reality Winner's guilty plea.

Dave Bittner: [00:00:37] I've got a few notes to share from our sponsor Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the U.K., North America and elsewhere. Did you ever wonder how they get in? Sure, there's phishing and spear phishing. Those can never be discounted. But here's a twist. Cylance has determined that one of their ways into the grid is through routers. They found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear, commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a phish net could catch. Go to and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. I'm sure you'll find it interesting. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:39] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 27, 2018. A major distributed denial of service attack hit both ProtonMail and ProtonVPN for several hours. The affected service provider says a group linked to Russia is claiming responsibility. The group counting coup is Apophis Squad, according to both TechCrunch and what we've seen in a bit of flame war between ProtonMail and those it calls clowns. The attack this morning lasted several hours - although most users experienced it as intermittent service outages.

Dave Bittner: [00:02:22] ProtonMail is an encrypted service incorporated in and operating from Switzerland. The company said their upstream DDoS protection service, Radware, needed more time than usual to perform its mitigations. The attack was more focused than the usual run-of-the-mill denial of service attacks ProtonMail and others experience daily. Apophis Squad has been making a nuisance of itself for several years. And hey, lookee, lookee - Apophis Squad still seems to have its very own Twitter account. Apophis Squad apparently takes its name from the Greek version of the un-creator, the dark and baleful serpent of Egyptian mythology. Apophis is the enemy of the sun god Ra. And he's usually held in check by the god Set - or in this case of course by the engineers at Radware.

Dave Bittner: [00:03:12] Palo Alto researchers describe RANCOR, a new APT group engaged in cyberespionage against Singapore, Cambodia and Thailand. Attribution isn't clear, but there's some circumstantial commonality between the backdoor Rancor is using and that employed by Chinese threat actors. Palo Alto thinks the campaign probably insinuated itself into its target's webpages through spear phishing. It's using two distinctive malware strains - DDKONG and PLAINTEE. The latter strain, PLAINTEE, looks to be novel.

Dave Bittner: [00:03:47] Kaspersky researchers are warning that a new variety of adware is infesting susceptible Windows machines. They call it PBot or PythonBot, obviously because it's written in Python. PBot is not only an irritating strain of adware, but it's also a cryptojacker. Most of the victims seen so far have been located in Kazakhstan, Latvia, Ukraine and Russia.

Dave Bittner: [00:04:11] The U.K.'s Action Fraud center is warning that WannaCry-connected emails are circulating. Indeed, they are. But don't be deceived. The emails represent nothing more than an empty threat. It's a continuation of an ongoing campaign in which some petty hoods are telling people that they'll infect them with WannaCry if they don't pay up. Again, the threat is empty. The crooks don't have WannaCry - or apparently anything else. So just delete the email as the spam it is and move on.

Dave Bittner: [00:04:41] The EU is organizing a cyber response force that will coordinate the union's reaction to incidents. The declaration of intent proposed by Lithuania has advanced and acquired more signatories. France, Finland, Croatia, Estonia, Spain and the Netherlands are on board with Lithuania. And Belgium, Slovenia, Germany and Greece have signed on as observers. Lithuanian officials said, as reported by Infosecurity Magazine, that, quote, "each participant would need to have a standing cybersecurity unit which could join the neutralization and investigation in virtual or even physical reality in the event of a significant cyber incident," end quote. The group plans to hold its first joint exercises later this year.

Dave Bittner: [00:05:26] The U.S. federal government regularly faces criticism for inefficiency and insufficient attention to cybersecurity. Paul Aubin is regional sales manager for the civilian intelligence and global system integrator business at Varonis, where they recently surveyed government IT professionals. And he shares the survey results.

Paul Aubin: [00:05:45] The really key finding that was really important to us is - you know, I think it was 82 percent said, protecting the data is now our top priority. You know, if you look at a network, you know, between 60 and 80 percent of the data on a network is what we call unstructured data - you know, Word files, PDF files, Excel spreadsheets - you know, those documents that are created by users, not the Oracle database or the Financial Database type data, right? The problem with that is you don't know what's in that data. You don't know if that data is what we call sensitive, right? And sensitive - just to define that for your listeners - is any data that if seen by the wrong group or individuals can cause harm, right? That's how we define sensitive. It could be as simple - it could be PII information. It could be a list of Social Security numbers and driver's license, which would be really bad. But it could also just be a memo that you wrote about an employee. So sensitive goes beyond what people normally think, the HIPAA, the PCI and that type of thing. Right?

Dave Bittner: [00:06:39] OK.

Paul Aubin: [00:06:40] What was really valuable to us is data's now a top priority in the agency. Right? And if you look at CDM, phase four is 100 percent about protecting that data.

Dave Bittner: [00:06:50] What is your advice for folks who are - who want to get into that government market because it's different than selling to the private sector. There, the rhythms are different. The cycles are different. Do you have any tips for folks?

Paul Aubin: [00:07:03] You know, I tell people who want to - you know, I think the first step - right? - people who want to work as contractors in the government sector versus people who want to work for - you know, sell to the government sector, like I do. You know, the big difference is just understand that the pace is going to be very different, that the process is going to be very different. Right? That there's going to be a lot of rules and roadblocks that you just have to accept. Right? And just know that that's part of it and accept it. Don't complain about it. You know, I'm not saying don't change some of it. But, you know, understand that that's just the way it works.

Dave Bittner: [00:07:35] Is that slower cycle a potential barrier for protection itself? Does it slow down the ability to innovate, to take on new technologies? You follow my line of thinking here?

Paul Aubin: [00:07:47] It is. I definitely believe it is. I've talked to a number of federal agencies that are like, hey, this is fantastic. I wish I would have talked to you 10 months ago, but I've already spent my allocation for this year. You're in my fiscal '19 plan now. You know, and so what does that really say? OK, I see value in this. I want to add this protection that you provide, but I'm not going to do it for nine months. Right?

Dave Bittner: [00:08:11] Right.

Paul Aubin: [00:08:12] Or there's even a few agencies out there that are ready to do it, but due to waiting on award of contracts or waiting on award of service agreements, you know, it's still going to be six to nine months. So yeah, the the bureaucratic nature of government does slow it down and probably does leave things unprotected differently than what would happen in a commercial agency, where the CEO's like, shoot, I'm going to lose my job if I don't fix this. I'm going to reallocate resources. I'm going to reallocate people. And I'm going to make this a priority today. Right?

Paul Aubin: [00:08:41] I think the other thing that's changed is you're seeing accountability. You know, the executive order around accountability on cybersecurity that came out earlier this year from the current administration, you know, is now holding senior executives, senior military officers and even Cabinet-level leaders and political appointees responsible for this. And I think that might have been some of the problems prior to this, is, OK, I didn't do it. We got a breach. But nobody got - nobody lost their job over it.

Dave Bittner: [00:09:10] That's Paul Aubin from Varonis.

Dave Bittner: [00:09:13] An international law enforcement effort, Operation Keyboard Warrior, has resulted in the arrest of eight suspects as a business-email compromise ring based in Africa is broken up. The U.S. FBI is particularly pleased with the callers.

Dave Bittner: [00:09:30] Booz Allen's Dark Lab has been tracking business-email compromise activity for some time. They note that it usually establishes itself in one of three ways - commodity keyloggers, compromise of a company employee's internal email account or, most commonly, sending a deceptive email to someone authorized to transfer money and then directing them to perform a wire transfer. Dark Lab has a list of domains recently involved in this last form of business email compromise. You can find that list posted in Booz Allen's "Perspectives" blog under the entry "New BEC Scheme Targets Companies Worldwide."

Dave Bittner: [00:10:08] Reality Winner's plea agreement in the case of classified material leaked to the intercept calls for Ms. Winner to serve five years and three months in prison. Her guilty plea was entered yesterday, but her sentence will be formally imposed at a later date. She acknowledged taking classified material from her workplace - she was then working for an NSA contractor in Georgia - and offering it to The Intercept.

Dave Bittner: [00:10:32] Supporters of the 26-year-old NSA and Air Force alumna are asking that the court consider her service to her country in mitigation. It's difficult not to notice that much the same could be said for anyone who released classified material when such release wasn't duly authorized, a little like the famous joke-y example of chutzpah in which the child who killed his parents throws himself on the mercy of the court because he's now an orphan.

Dave Bittner: [00:11:01] Ms. Winner was scooped up quickly by investigators after The Intercept sought to authenticate the documents they were offered. Good on The Intercept for trying to confirm a story, but it was bad luck for the leaker since the agency that saw the material was able to swiftly find where the leak came from. Specifically, Ms. Winner was undone and unmasked by microdots in the printed documents she proffered to the journalists.

Dave Bittner: [00:11:25] Now researchers at TU Dresden say they've developed a technique of masking such identifying marks. Too late for Ms. Winner, but soon to be on offer for future leakers. The researchers looked at 141 printer models made by 18 manufacturers and mapped four distinct tracking dot patterns or matrices. They created an app that automates tracking-dot pattern extraction and analysis and also creation and implementation of anonymization patterns that can be overlaid on a document to render the dots ambiguous. The app works at least for scanned documents. And the TU Dresden crew has made it available. Too late for some, and of course one imagines there will be a response from those who work on tracking technology.

Dave Bittner: [00:12:13] And finally, no, it's not just you. Yes, Slack went down this morning, with many an earthquake through many a business. Reasons for the outage are unclear, but Slack is back up for at least some of us. It was, of course, a trial speaking face-to-face with your co-workers. If you think you had it rough, imagine how it was for me talking to the linguistic staff or the gunnery desk or - heaven forbid - the historians.

Dave Bittner: [00:12:44] Now a few words about our sponsor, Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This premier cybersecurity company, headquartered in northern Virginia, boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities value Invictus and its work. As a service-disabled veteran-owned small business, over 60 percent of Invictus' workforce is comprised of veterans. And it's not just in the government space. It delivers for commercial clients, too, an award-winning company recently named to 2018's Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies. Invictus has also won the Most Valuable Industry Partner Award at the (ISC)² 15th annual Information Security Leadership Awards. So check them out at That's And we thank Invictus for sponsoring our show.

Dave Bittner: [00:14:03] And joining me once again is Emily Wilson. She's the director of analysis at Terbium Labs. Emily, welcome back. You have a tale to tell, a story to share with us. This is about a 6-year-old getting hit with some identity fraud. Tell us the story. What do we need to know here?

Emily Wilson: [00:14:21] So this is a story that I first read a few months ago. I think it first dropped in April. And I found myself referencing it in conversation often enough that I wanted to share it with your listeners. So the situation here is that a 6-year-old girl out of Arizona was first hit with ID theft back in 2011 - yes, a 6-year-old, ID theft. And this is one example of what I'm sure your listeners are coming to hear more about every day of synthetic ID fraud, right? This is a situation where someone is using the Social Security number of another individual, typically a child, combined with information from a variety of other sources to create this new composite ID.

Emily Wilson: [00:15:04] And so the mother of the 6-year-old found that somebody had been opening retail credit card accounts with this child's Social Security number. And this begins sort of a twisted tale where the mother, I think as any of us would think to do, decides to try and prosecute this and try and take this all the way to the end and, you know, not only kind of bring some attention to the issue but also help her daughter out because, you know, the last thing you want when you're 6 is bad credit.

Emily Wilson: [00:15:31] So over the course of four or five years, you know, this mother is consistently dealing with issues. She's going to stores and trying to get information about who opened the account, showing them the Social of her daughter, saying, you know, this is my kid's Social; you have to share with me the information opened under this identity and stores saying, you know, no, we can't give you that, you know, showing lots of gaps in the framework that we have now.

Dave Bittner: [00:15:54] So protecting the privacy of...

Emily Wilson: [00:15:56] Of the fraudster.

Dave Bittner: [00:15:57] ...Of the fraudster.

Emily Wilson: [00:15:57] Yes.

Dave Bittner: [00:15:57] All right, go on.

Emily Wilson: [00:15:59] And the mother goes so far as - you know, she's talking to the Social Security Administration and asking to get a Social reissued for her daughter. And she changes not only her daughter's first name but her middle name in an effort to create a new ID based on the Social Security Administration's requirements. And they say, no, you have to change her last name, too. So you're already changing, you know, the identity that this girl has come to know because somebody else is committing fraud, and the government's saying, sorry, we can't do anything about it.

Emily Wilson: [00:16:29] And so in the end, they still have not reissued a Social. They are now seeing another set of frauds being applied to this girl. And this is, again, seven or eight years after the initial fraud. And I just - it's a horrifying story, and I think it's one that we're going to see more examples of in the years to come as people begin to recognize that their kids' IDs are being used for things like this.

Dave Bittner: [00:16:49] Well, and I think it also points to the possibility that we rely on that Social Security number for far more things than what it was originally designed for and what's useful. And, you know, we - perhaps it's time to move on.

Emily Wilson: [00:17:03] There are a lot of good conversations being had about finding some other authenticator. And I'm excited to see that happen. I think in the meantime, we're in this weird dynamic. And I say weird because there's really no other word for it. It's a situation where we're using a single identifier that is both universally known and yet extremely sensitive for everything that we do kind of with the government and in the private sector in many cases. And this is something that people can easily get their hands on, easily exploit and, until very recently, businesses had no way to verify.

Emily Wilson: [00:17:38] The one good piece, if there is a good piece, the one small piece of progress in this story is that recently, end of May, there was a Consumer Protection Act that came out that is going to require the Social Security Administration to create a system to allow financial institutions and others - other relevant parties, I should be clear - to confirm that the name and contact information associated with the Social actually matches up to what the financial institution was given. And this is the kind of solution that you think would have been around since the '90s, but, no, it's 2018.

Dave Bittner: [00:18:13] Wow. All right, well, it's a sad story for the 6-year-old, but hopefully it'll end well for her. As always, Emily Wilson, thanks for joining us.

Dave Bittner: [00:18:27] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace One Intelligence. Learn more at

Dave Bittner: [00:18:55] Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:19:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.