The CyberWire Daily Podcast 8.27.18
Ep 671 | 8.27.18

Moscow HUMINT drought? Spying on the Patriarch. Ottoman hacktivism. Iranian information operations. ISIS in cyberspace. RtPOS malware discovered.


Dave Bittner: [00:00:01] Just the other day, my 11-year-old son came to me and said, Daddy, it's almost time to head back to school, and this is my first year as a middle-schooler. You suppose we could go shopping and get me a new backpack to carry my books when I walk to and from school? And I said, Son, if enough people go to and sign up to become podcast supporters, we'll be able to go out and get you that new backpack. I'm kidding, of course. He doesn't need a new backpack. He's got arms.

Dave Bittner: [00:00:42] Reports suggest U.S. HUMINT collection in Russia has dried up. Russian intelligence services are showing an interest in disrupting a grant of autonomy to the Ukrainian Orthodox Church by the ecumenical patriarch. Turkish hacktivism shows up in the U.S. as journalists' social media accounts are hijacked. A look at Iranian information operations, ISIS limps back into cyberspace and a new point-of-sale malware family is discovered.

Dave Bittner: [00:01:16] Now a few words about our sponsor, Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This leading cybersecurity company, headquartered in Northern Virginia, boasts an expert staff with decades of cybersecurity technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities highly value these Invictus cyberwarriors and their professional ethos. Invictus is a service-disabled, veteran-owned small business - that's SDVOSB - with over 60 percent of the Invictus workforce comprised of veterans. The company excels in achieving mission success not only within the government space, but it has been a game changer within its commercial clientele, as well. An award-winning company recently named a 2018 Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus recently won the Most Valuable Industry Partner award at (ISC)2 15th annual Information Security Leadership Awards, as well as several others. Check them out at to learn more and to see if you have what it takes to become a cyberwarrior. That's And we thank them for sponsoring the CyberWire. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:49] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 27, 2018. As the week opens, there's considerable news of state-directed espionage and information operations, as well as some efforts that may represent patriotic hacktivism closely aligned with state interests. The New York Times reported over the weekend that CIA sources inside Russia have gone dark and have possibly gone underground, leaving Langley with much less insight than it formerly had into Russian intentions, especially intentions with respect to U.S. midterm elections. The story cites sources inside the intelligence community who say they think the agents probably went underground as opposed to having been arrested or killed by Russian security services. Commentators speculate about a range of causes for the agent's disappearance. These run from the Russian sources having been spooked and intimidated by the attempted assassination of Sergei Skripal in Salisbury, England, to more aggressive and effective Russian counterintelligence, to the theory that the agents never existed in the first place.

Dave Bittner: [00:04:01] That third possibility is the least plausible. It's being retailed by Russia Today in response to The New York Times piece. RT says that, quote, "not for a moment do the authors or their anonymous sources from inside the U.S. spy community contemplate the possibility that Russia might not be doing anything at all. That, however, would upset the apple cart of Russian meddling carefully built from smoke and mirrors since mid-2016, and that just wouldn't do," end quote. Forgive them the mixed metaphor of an apple cart being built of smoke and mirrors, although that indeed would be worth seeing. But their next claim is less forgivable. RT thinks that concerns about Skripal's attempted assassination by Novichok nerve agent is more evidence that the whole affair is bogus because the Salisbury attack is something, quote, "for which the British authorities never provided any evidence," end quote. Essentially, no thinking person outside the editorial staff of RT believes that, probably not even the editorial staff of RT itself. But that's another apple cart. In any case, The New York Times says that human intelligence, HUMINT, about 2018 election influence operations has dried up. The story's developing. We shall see.

Dave Bittner: [00:05:22] In other news that's been evergreen since A.D. 1054, the Russian government is said to be collecting intelligence on the Orthodox Church. This time the target is private correspondence of Ecumenical Patriarch Bartholomew I whose seat is in Istanbul, formerly Constantinople. Russian interests in Ukrainian religious developments apparently provides the proximate motive. Patriarch Bartholomew is considering whether to grant the Ukrainian Orthodox Church autonomy from the patriarch of Moscow. Doing so would be seen in the Kremlin as an unwelcome blow to general Russian claims of transnational relevance and authority. Tensions between the U.S. and Turkey connected to Turkey's detention of a U.S. missionary and Turkey's growing rapprochement with Russia have manifested themselves in hacktivism by supporters of Turkish President Erdogan. CrowdStrike reports that members of the group Ayyildiz Tim took over social media accounts belonging to journalists at Fox News, Bloomberg and The New York Times. Ayyildiz Tim claims the support of Turkish security services, but it's worth noting that Turkey has for some years had active groups of patriotic hacktivists. Like Ayyildiz Tim, they often show an Ottoman nostalgia that marks the Turkish government's current retreat from the republic's traditional Kemalist secularism.

Dave Bittner: [00:06:51] Security and cyber intelligence firm FireEye is receiving mash notes from several newspapers. The prize for most starstruck goes to the Los Angeles Times, which gushes about the company's analysts being the Navy SEALs of cyberspace. Breathlessness aside, FireEye deserves credit for the work it's done over the past few weeks identifying and unmasking the Iranian cyber operators active in disinformation campaigns against regional and Western rivals and opponents. Their advice facilitated takedowns of bogus, inauthentic sites representing themselves as legitimate ones. Not the least of the company's contributions may be its account of inauthenticity, which may be far more useful in countering information operations in criteria like fake or hateful or inappropriate, all of which seemed to enmesh social media and IT firms in problematic content judgments.

Dave Bittner: [00:07:46] FireEye uses inauthentic to describe sites that are not transparent in their origins and affiliations, undertake concerted efforts to mask those origins and often use false social media personas to promote their content. In the case of Iranian operations, the content on the bogus sites was in large part cut and pasted from other original sites, sometimes altered and stitched together with poorly constructed passages not written by native speakers of the languages in which they were cast. The other large Iranian campaign currently under discussion was described by Secureworks under the name Cobalt Dickens. This espionage effort, largely directed against university targets and presumably being conducted to gain access to newly developed technology, has exhibited connections with Iran's Mabna Institute named in earlier U.S. indictments of Iranian hackers. Iranian cyber operations are generally thought likely to increase as sanctions are reimposed on Tehran for its nuclear program.

Dave Bittner: [00:08:51] U.S. Army Cyber Command's leader thinks ISIS will step up its online activity as the small remaining physical territory of its aspiring caliphate shrinks to insignificance. He's not alone. The group now holds only small, discontinuous pockets in Syria and Iraq, and it's increasingly being displaced by competing jihadist groups in the struggle for adherents. Its current online activities consist significantly in taking credit for unrelated acts of ordinary, if brutal, crime, usually murders. Researchers at Booz Allen Hamilton report on RtPOS, a newly identified point of sale malware family. RtPOS' lack of data exfiltration capabilities suggests disturbingly that it's a post-compromise tool. The researchers note that the malware is simple, highly automated and flies easily under much of the detection radar in place to watch for point of sale systems. Security firm Securonix has an account of the theft of $13.5 million from India's Cosmos Bank in the second week of this month. It involved a malware infection, an ATM switch compromise and a compromise of the bank's SWIFT environment. They think the infection originated with spear-fishing, and they say the prime suspect is one of the usual ones - North Korea's Lazarus Group.

Dave Bittner: [00:10:23] Now, a few words about our sponsor, the Incident Response Consortium, a leading nonprofit organization working to advance the cybersecurity industry through community building and the sharing of best practices. They're returning to the D.C. metro area this year with their popular free security conference IR18. That's right. It's free, and it's being held September 5 and 6 at the Renaissance Arlington Capitol View Hotel. IR18 welcomes experts, those new to the industry and anyone looking to learn more about the critical issues of cybersecurity. There'll be valuable cybersecurity best practices training, hands-on vendor product training, cyber range war gaming, social networking, career opportunities, mentorship opportunities, chances for educational scholarships and much more. Of course, there'll be free breakfast and lunch, too. Don't miss this great learning opportunity. And it's a chance to make new friends and build professional relationships. Space is limited and with over 600 registered attendees already, be sure to head on over to to register today. That's We thank the Incident Response Consortium for sponsoring our show.

Dave Bittner: [00:11:47] And I'm pleased to be joined once again by David Dufour. He's the senior director of cybersecurity and engineering at Webroot. David, welcome back. We wanted to touch today some on the different roles that different team makers play in an organization when it comes to effective security. And we wanted to talk about engineers. There's some misunderstanding there. What can you share with us?

David Dufour: [00:12:09] Well, you know, I'm fortunate to run a great engineering org inside of a cybersecurity company. So we can look at things a little bit from a couple of perspectives. You know, generally, engineers have a really good, deep knowledge of software, how it works. We're talking about computer engineers, of course. So we have a great relationship with our CISO and our security organization. So being in engineering, we can see things potentially that could be problems that, you know, other folks in the organization may not witness to, so we try to foster a relationship with our engineering team to work with other organizations - marketing, sales, the CISO - just to kind of let them know what we're doing and our experience.

Dave Bittner: [00:12:55] Now, how about communications? I mean, do you have to come up with sort of a - I don't know - an unofficial Rosetta Stone so that everybody can be speaking the same language?

David Dufour: [00:13:05] You know, I don't know why you'd say that, David, because engineers are the most clearly understandable people on the planet (laughter).

Dave Bittner: [00:13:11] Go on.

David Dufour: [00:13:12] Though, honestly, yes. You know, we have some engineers that - and we joke, you know, some of our machine-learning folks, they can only speak in calculus. Like, they think they're dumbing it down when they're writing, you know, formulas for you instead of, you know, straight up calculus. So - but to your point, I think we've identified several key folks inside of our organization who speak engineering and security in a way that takes it out more broadly. And the good thing about that, identifying those types of people, is it allows them to convey the excitement that engineering folks typically have about what they're making and what they're doing to other parts of the organization, which, in our environment here, then allows our sales and marketing folks to really take that excitement out to the rest of the world. So to say every engineer can speak to everyone, I think that's a stretch, but what you have to do is identify those folks who can really take the message out of engineering into the rest of the organization.

Dave Bittner: [00:14:15] And how do you foster that environment of collaboration and make sure that those folks don't end up siloed?

David Dufour: [00:14:22] Yeah. You know, David, that's a great question, and the first thing you have to do is always, always keep pushing because it's very natural for folks to get heads down, to really want to focus on what they're doing because most engineers, what they're doing they love to do, and they'd rather just work on that all day. So it takes effort and energy to push them, and so a lot of times, your internal PR, external PR, they make a great bridge for drawing people out to be able to communicate what they're doing. You know, sometimes as a engineering management lead, I've got to set up discussions and force people kind of to spread their wings a little bit. But once they see folks are curious, once you're fostering those conversations, it kind of starts to take on a natural life of its own. But you do have to push and you've got to - you know, you've got to put energy into it.

Dave Bittner: [00:15:18] Yeah. All right. That's a good perspective. As always, David Dufour, thanks for joining us.

David Dufour: [00:15:23] Thanks for having me, David.

Dave Bittner: [00:15:29] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:15:37] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:16:05] If you enjoyed the CyberWire and our Research Saturday show, we hope you'll check out the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I co-host that show with Joe Carrigan from the Johns Hopkins University Information Security Institute. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:16:55] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.