The CyberWire Daily Podcast 8.31.18
Ep 675 | 8.31.18

Recruiting spies via LinkedIn. WindShift in the Gulf. GlobeImposter ransomware. Blocking Telegram is harder than it looks. Policy notes from the Five Eyes.


Dave Bittner: [0:00:03] The U.S. intelligence community says that China is actively trying to recruit spies over LinkedIn. The WindShift espionage group is active in the Gulf. GlobeImposter ransomware continues its evolution and spread. The Five Eyes issue some communiques about cooperation in cyberspace. Russia would like to block telegram if it could do so without too much collateral traffic damage - and supply chain questions about Google's Titan.

Dave Bittner: [0:00:37] Now a few words about our sponsor, Invictus - we've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This leading cybersecurity company, headquartered in Northern Virginia, boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities highly value these Invictus cyberwarriors and their professional ethos. Invictus is a service-disabled veteran-owned small business - that's SDVOSB - with over 60 percent of the Invictus workforce comprised of veterans. The company excels in achieving mission success not only within the government space, but it has been a game changer within its commercial clientele as well. An award-winning company - recently named to 2018's Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies. Invictus recently won the most valuable industry partner award at (ISC)² 15th Annual Information Security Leadership Awards, as well as several others. Check them out at to learn more and to see if you have what it takes to become a cyberwarrior. That's And we thank them for sponsoring this CyberWire.

Dave Bittner: [0:02:06] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday August 31, 2018.

Dave Bittner: [0:02:18] Senior U.S. counterintelligence official William Evanina, whose formal title is director of the National Counterintelligence and Security Center, warned that Chinese intelligence services are actively using LinkedIn to recruit American agents. The Chinese recruiting campaign involves contacting thousands of LinkedIn members at a time. The effort apparently involves catfishing. Director Evanina declined to disclose how many bogus Chinese accounts U.S. authorities had discovered. He also wouldn't say how many Americans had been contacted or with what success.

Dave Bittner: [0:02:53] Evanina recommended that LinkedIn take action to purge itself of authentic accounts, pointing to Twitter's recent housecleaning as a good model for LinkedIn to consider. He was clear in that he regarded LinkedIn as a victim in this case. LinkedIn told Reuters that they've been talking with U.S. law enforcement agencies about Chinese espionage and that they did what they could to control catfishing and other abuse. The company's head of trust and safety Paul Rockwell said, quote, "we've never waited for requests to act and actively identify bad actors and remove bad accounts using information we uncover and intelligence from a variety of sources, including government agencies," end quote.

Dave Bittner: [0:03:35] Evanina's warning was motivated by the June conviction of Kevin Mallory, a retired CIA officer on charges of conspiracy to commit espionage. A Mandarin speaker, Mallory found himself financially pinched in retirement. He was contacted over LinkedIn by an individual using the name Richard Yang, who represented himself as a headhunter. Yang arranged a contact between Mallory and a third man who said he worked for a Shanghai think tank. Mallory made two trips to Shanghai, during which he agreed to sell defense secrets to his Chinese contacts. Mallory, who the U.S. government thinks probably knew full well what he was getting into, will be sentenced in September and might get life.

Dave Bittner: [0:04:20] But, hey, doesn't everybody recruit over LinkedIn? It's worth noting that this kind of recruiting can look initially legitimate. It's not as though you'll get a direct message inviting you to connect because, hey, you look like you might have treasonist skills - nor are foreign intelligence services scouring LinkedIn for profiles of people who describe themselves as driven professionals with a passion for betraying their country, reasonable compensation to be determined in negotiation. No, the recruiters seek to connect, elicit a response, habituate you to talking with them then to doing small favors or good offices.

Dave Bittner: [0:04:57] And before you know it, you've moved from advising someone on your common hobby of stamp collecting to handing over plans for an F-35 radar. Maybe the contact is someone you've never met, or maybe it's a friend of an acquaintance. Or maybe it's someone you vaguely remember swapping cards with at that busy rootin'-tootin' cyber-shooting happy hour just outside Fort Gordon. You remember, don't you? They had a bull ride in the barroom and everything. By the way, if you've ever tried to connect with our editor, and he hasn't responded, it's probably because he thinks you're some kind of intelligence officer. That kind of suspicion, it's like a sickness with him. He doesn't mean to be rude.

Dave Bittner: [0:05:39] A hacking crew called WindShift is exploiting Mac OS vulnerabilities in an espionage campaign directed against the Gulf Cooperation Council. That's Saudi Arabia, Kuwait, the UAE, Qatar, Bahrain and Oman. The malware payload is distributed in spear-phishing attacks. They promise more details later. There's no further attribution from DarkMatter, the security company that announced the discovery. As difficult as it may be to look at that target list and not think of that regional rival in the Gulf Cooperation Council - the one with the capital in Tehran - it's important, as always, to remember that many - most - all nations spy and that there are many services who'd be interested in the Gulf.

Dave Bittner: [0:06:25] Qihoo 360 warns that GlobeImposter ransomware is now out in more than 20 variants, and they expect it to continue to evolve and spread. The researchers consider it the most troubling family of ransomware currently in circulation.

Dave Bittner: [0:06:41] Russia would like to block the Telegram encrypted messaging service, but their attempts have been unsuccessful. They haven't yet come up with a way of stopping telegram without also stopping a lot of other traffic. And that's unacceptable collateral damage.

Dave Bittner: [0:06:58] The Five Eyes, as the intelligence services of the U.S., U.K., Australia, Canada and New Zealand are called, in recognition of roughly a century of close cooperation, agreed this week to increase collaboration in cyberspace. The official communique covered much familiar ground - determination to work against terrorism, cooperation on law enforcement, border security with an emphasis on fighting human trafficking, a shared commitment to a safe and open internet, determination to protect children and so on.

Dave Bittner: [0:07:30] Four points are worth particular mention. First, the five governments expressed a common determination to share intelligence and resources to thwart foreign influence operations. Second, the governments say their talks this year have focused on tangible deliverables and practical collaboration. Third, they regret that industry declined their invitation to participate in the discussion because none of this will work without industry help.

Dave Bittner: [0:07:57] And finally, they're not going to give up the Crypto Wars. They remain concerned that end-to-end encryption makes it too easy for criminals and terrorists to operate with impunity. The discussions produced a joint statement of principles on access to evidence and encryption. One concession to the pro-encryption side - governments should recognize that the nature of encryption is such that there will be situations where access to information is not possible - although such situations should be rare.

Dave Bittner: [0:08:29] Google's tightened security key, introduced recently with pride and aplomb, is manufactured in China, which has already prompted spoilsports to spit in the soup by asking for some transparency about supply-chain security. Come on, guys. Lighten up. We are pretty sure someone we connected with on LinkedIn told us those supply chains in China are great - just aces.

Dave Bittner: [0:08:53] Monday is Labor Day here in the U.S., and we'll be observing the federal holiday by taking the day off - probably to hit the Maryland State Fair up in Timonium. We'll resume normal publication and podcasting on Tuesday. Of course, Research Saturday will be up as usual tomorrow, as will the week that was. It's just Monday we're taking off. Take a breather if you can. And we'll see you next week.

Dave Bittner: [0:09:21] Now a few words about our sponsor, the Incident Response Consortium - a leading nonprofit organization working to advance the cybersecurity industry through community-building and the sharing of best practices. They're returning to the D.C. metro area this year with their popular free security conference IR18. That's right. It's free. And it's being held September 5 and 6 at the Renaissance Arlington Capitol View Hotel. IR18 welcomes experts, those new to the industry and anyone looking to learn more about the critical issues of cybersecurity. There will be valuable cybersecurity best practices training, hands-on vendor product training, cyber range wargaming, social networking, career opportunities, mentorship opportunities, chances for educational scholarships and much more. Of course, they'll be free breakfast and lunch too. Don't miss this great learning opportunity. And it's a chance to make new friends and build professional relationships. Space is limited. And with over 600 registered attendees already, be sure to head on over to to register today. That's We thank the Incident Response Consortium for sponsoring our show.

Dave Bittner: [0:10:45] And joining me once again is Johannes Ullrich. He's from the SANS Institute. He's also the host of the ISC StormCast podcast. Johannes, welcome back. We have seen a lot of stories coming by about iPhone security and how Apple has sort of been upping their game when it comes to some of the protections when it comes to the iPhone - doing time limits and so forth. But you wanted to share some news about how thieves are still managing to unlock iPhones. So what do you have to share today?

Johannes Ullrich: [0:11:12] Yeah, what you mention is really when, you know, law enforcement tries to access and unlock the iPhone, they sometimes have access to these Grayloc devices - are what they're called - essentially brute force the PIN that's used to lock the device. So best practice now, you lock your device with a PIN code. But thieves go a little bit differently about unlocking iPhones. They have a couple of neat sort of social engineering tricks that they tend to use.

Johannes Ullrich: [0:11:39] Now, one trick, for example, is your iPhone, well, it has a removable SIM card. The SIM card can be plugged into another phone. Typically, that other phone takes on the identity of your iPhone. So that phone, which is owned by the thief, it's of course not locked. And it will now receive, for example, text messages that are used for password reset, in some cases. And the attacker also now knows your phone number, which can be helpful for sort of other tricks that they're playing, like social engineering tricks.

Johannes Ullrich: [0:12:14] Often when your iPhone is lost or stolen, you will now, for example, set up the iPhone in locked mode, which basically alerts you whenever it is being found. Well, what hackers are doing now is they'll send you a fake message that appears to come from Apple that tells you, hey, your phone was found. Click here to display the location. Imagine what happens next? Well, you click on the link, and you end up on a phishing site. So now the attacker is able to get the user name and password for your iCloud account. And with that, they may be able to turn off this lock on the phone and reset it.

Johannes Ullrich: [0:12:53] In some case, they may also just call you if you display, for example, a phone number on the iPhone. And you can do that when you mark it as lost or stolen. They'll call you. And they say, hey, we found your phone. And, well - but we want to send it back to you, but we first have to know that it's actually your phone. And then they trick you into unlocking the phone in order to do this verification. So a lot of social engineering happening here.

Johannes Ullrich: [0:13:16] Now, there are a couple things that you can do to protect yourself. First of all - and that's a feature that's not often used - you can protect your SIM card with a PIN code. What happens is when the iPhone is turned off, and you turn it back on, before the SIM card can be used, you have to enter a four-digit PIN code. You can do this in your cell network settings within the iPhone. And that protects yourself from someone removing the SIM card and plugging it into another phone. And the second thing that you definitely should do is enable two-factor authentication - prevents some of these phishing attacks.

Dave Bittner: [0:13:55] All right. (Laughter) Well, it's good information. Johannes Ullrich, as always, thanks for joining us.

Johannes Ullrich: [0:14:00] Thank you.

Dave Bittner: [0:14:05] And now a word from our sponsor, the upcoming Cyber Security Conference for Executives. The Johns Hopkins University Information Security Institute and Navigant will host the event on Tuesday, October 2, in Baltimore, Md., on the Johns Hopkins Homewood Campus. The theme this year is cybersecurity compliance and regulatory trends. And the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at and click on the Fifth Annual Cyber Security Conference for Executives. Learn about emerging regulations and how the current cybersecurity landscape is changing as companies must adhere to these regulations and take actionable steps to become compliant. Check out all the details at and click on the Fifth Annual Cyber Security Conference for Executives.

Dave Bittner: [0:15:05] It's my pleasure to welcome back to the CyberWire WIRED senior writer Andy Greenberg. He's author of the recent WIRED article, "The Untold Story of NotPetya, the Most Devastating Cyberattack in History."

Andy Greenberg: [0:15:19] NotPetya was this piece of malware that exploded across the internet in June 26 of 2017. And it at first seemed like it was a ransomware worm like WannaCry, which had happened just a couple of months earlier. But then it turned out that it - there was no way to pay the ransom. It was simply a wiper disguised as ransomware. It was just encrypting computers irreparably. And it targeted Ukraine but spread across the world and then used - I would say three components to achieve a really virulent spread.

Andy Greenberg: [0:15:55] It first used this backdoor in this Ukrainian accounting software called M.E.Doc that essentially allowed NotPetya's creators a foothold onto any machine that was running this kind of Ukrainian TurboTax or Quicken software. Anyone who was doing business in Ukraine basically had this software. And then, within a network that was running that software on even just one machine, it could spread by two kind of intertwined techniques. One was an adopted version of Mimikatz, the tool that can basically pull plain-text passwords out of a Windows machine's memory and use those to log into an - any other machine that uses those credentials.

Andy Greenberg: [0:16:37] And then the other one was the leaked NSA hacking tool EternalBlue, which had been patched, but still - there was a patch available, but it still hadn't been patched to all the machines. So NotPetya would use that to break into unpatched machines. And then it - when the machine was patched, it could sometimes still get access with Mimikatz.

Andy Greenberg: [0:16:54] And so with this kind of hopscotching technique of one exploit over the other one, it could spread to thousands of computers within a multi-national company's network in seconds, sometimes. And it turned out to just be a devastating attack and spread to companies like Maersk, and Merck, and FedEx, and the French construction company Saint-Gobain, and the food producer Mondelez and just an - a long list of huge companies, inflicting nine-figure, 100 - hundreds of millions of dollars in damage to each one and turned out to be the most expensive malware attack in history.

Dave Bittner: [0:17:32] Now, your article digs into the situation at Maersk in detail. And one of the things that strikes me about this is that this crosses over the cyber domain. We're talking about real things, real products that have to be shipped around the world.

Andy Greenberg: [0:17:50] Right. The book I'm working on is about this hacker group, Sandworm. And this seems to be their specialty, is that they inflict damage that does cross that line. They were responsible for the blackout attacks in Ukraine, for instance. And they deployed NotPetya too. And NotPetya did inflict this kind of physical paralysis as well, mostly by virtue of the companies that it hit. And Maersk is the best example of that. I mean, 17 of Maersk's 76 terminals and ports around the world were completely shut down by this, with thousands and thousands of trucks just lining up outside of the gates of those ports, unable to check in. It - you know, it was crippling of - a big part of the global logistics supply chain.

Dave Bittner: [0:18:36] Now, one of the conclusions I think that there's general agreement on is that this was sourced from the Russians targeting Ukrainians.

Dave Bittner: [0:18:46] But I think there's a lot of speculation and disagreement over whether it was intended to get out beyond that, whether it was intended to get out in the wild. And that's something that you touched on in this article.

Andy Greenberg: [0:18:59] Well, computer worms spread by their very nature. And they - that means they often spread out of control or almost always spread out of control, it seems like. You know, in this case, it took literally - I don't know - minutes for NotPetya, it seems like, to spread beyond its intended target of Ukraine to all of these multi-national companies that just had sometimes, you know, an office in Ukraine, or a couple of computers even in Ukraine was all it took for one of those machines running this accounting software just to become the patient zero for their infection.

Andy Greenberg: [0:19:30] Whether it was an accident is still up for debate. You know, the - at the very least, we can say that it was insanely reckless of the Russian state to launch this piece of malware that had no controls, had no way of trying to determine if it was in Ukraine or not before causing all this destruction.

Andy Greenberg: [0:19:49] Craig Williams at Cisco Talos made the argument to me that it wasn't an accident that it hit all of these multi-nationals, that in fact it was trying to send a message to them too - don't do business in Ukraine. You know, this is our enemy. Stay away. In fact, I've heard before that one of Russia's goals with its ongoing cyberwar in Ukraine - and this is really a multi-year thing now - is to scare away investment and partnerships and to make Ukraine look like a dangerous, failed state that you don't want to do business in.

Andy Greenberg: [0:20:19] And I think that this had that effect, you know, whether it was intended or not. I do think that multi-nationals are going to approach Ukraine differently when they know that it's essentially a war zone and that they could be collateral damage if they even, you know, put a foot into it.

Dave Bittner: [0:20:35] What was the response from the rest of the world in terms of policy? Did - you know, how did people come down on Russia? Was there punishment?

Andy Greenberg: [0:20:44] Not initially, and maybe never enough. The - it took eight months for the U.S. to institute sanctions in response to this. And it took nearly that long for really all of the Five Eyes to publicly state that this was Russia's - you know, Russia behind this. The fact that there were sanctions is - you know, I think that that's totally the right move. But eight months is quite a long time.

Andy Greenberg: [0:21:08] And then, not long after those sanctions were pushed through - and it seems like the real proponents of that within the Trump White House were Rob Joyce and Tom Bossert, really the two most senior cyber officials - both of them left very mysteriously from the White House. And I have not yet gotten a good answer about why.

Andy Greenberg: [0:21:28] We know that Trump has a very complicated story, notoriously, about responding to Russia or, you know, is he soft on Russia? Is he willing to, you know, hold Russian hackers to account? It seems like in this case a couple of his officials were, but then they were very quickly pushed out, from what I can tell. So that doesn't - sends the right message to Putin either. I think it's encouraging that there were sanctions. It wasn't a - as unified a message as it could have been.

Andy Greenberg: [0:21:56] Had - you know, will it deter the next one of these? It's hard to say. I mean, there were even sanctions against Russia for its election interference as well, and it seems like that has continued in certain ways, certainly around the world. And it is hard to put Putin in a box. It seems like he resists all forms of deterrence. So I don't know if it's enough.

Dave Bittner: [0:22:17] Yeah. It strikes me that - and I don't want to overstate it here or use hyperbole - but it reminds me a little bit of biological warfare in the way that this sort of thing can spread and reach beyond intended targets. And I can't help wondering if we need to head toward some sort of international norm where this kind of attack from a nation-state is prohibited and nations around the world agree on that.

Andy Greenberg: [0:22:47] I think that that does sound like the right answer. I mean, we talk about discussions of whether attacks on critical infrastructure are OK. And then sometimes it sounds like they're OK in wartime. This was a wartime attack. But it - in this medium of the internet, attacks from one nation against another don't stay in that nation. So that's what happened here, is that this - you know, there was - this was, like, a nation-against-nation attack that became a global epidemic immediately. And that is a dangerous, new, and I think poorly understood phenomenon.

Andy Greenberg: [0:23:19] And the answer may be that we have to set rules about infectious virulent attacks like this and just say that they're off-limits, as you say, in the same way as biological warfare is. I mean, I think that treating this sort of thing and attacks on critical infrastructure by hackers as a kind of war crime seems like part of the larger solution.

Dave Bittner: [0:23:41] That's Andy Greenberg, senior writer at WIRED. He's the author of "The Untold Story of NotPetya, the Most Devastating Cyberattack in History." His forthcoming book is titled "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers." We'll see that book's release next year. There's an extended version of my interview with Andy Greenberg over on our Patreon page. That's

Dave Bittner: [0:24:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [0:24:40] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.