Bloomberg reports a seeding attack on the supply chain by Chinese intelligence services. GRU is named, shamed, indicted, and expelled.
Dave Bittner: [00:00:03] Bloomberg reports that a Chinese hardware hack has infested sensitive U.S. supply chains. Dutch authorities expel GRU officers for attempting to hack the international body investigating the nerve agent attack in Salisbury. Australia, the U.K. and Canada all figure the GRU is responsible for high-profile cyberattacks. And the U.S. indicts seven GRU officers for a range of hacking-related crimes.
Dave Bittner: [00:00:35] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:44] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 4, 2018. Chinese cyber operations against the U.S. are scheduled to come front and center when U.S. Vice President Michael Pence delivers a speech laying out the American case against China for influence operations directed at the coming midterm elections.
Dave Bittner: [00:02:07] But a report this morning by Bloomberg offers some startling allegations. The news organization's investigation alleges that China succeeded in compromising U.S. computer hardware supply chains with maliciously crafted chips. The chips, Bloomberg says, were found in motherboards of servers intended to handle, among other things, U.S. government files, some regarded as sensitive. They turned up in equipment made for Amazon, which apparently alerted U.S. authorities of suspicions about the hardware, and for Apple.
Dave Bittner: [00:02:39] Video encoding shop Elemental Technologies, since 2015 an Amazon subsidiary now known as Amazon Prime Video, engaged Super Micro to assemble its servers. Super Micro used several Chinese subcontractors in the process, which is where the compromise is thought to have occurred. Bloomberg says Amazon noticed something fishy - very small chips on the motherboards not part of the design - after it acquired Elemental and undertook a routine security review of the equipment that Elemental engaged California-based Super Micro to build for it. Their tip to the government opened an investigation - Bloomberg calls it top-secret - that remains open three years later.
Dave Bittner: [00:03:23] Among the results, Bloomberg reports, is a finding that the chip established a persistent back door into the system on which it was mounted. If this is what happened, it would be a seeding attack with malicious hardware placed upstream in the supply chain, where it would eventually find its way into targeted systems. The other class of hardware attack that's sometimes discussed is an interdiction attack, in which finished devices are altered while they're in transit between manufacturer and end user.
Dave Bittner: [00:03:51] Some 30 companies in various sectors are thought to have been affected, and Super Micro hardware is used in a wide variety of systems, including some used by the U.S. military. Apple and Amazon Web Services are both said to have been affected, and both strongly denied to Bloomberg that the incident ever occurred. Amazon said, quote, "it's untrue that AWS knew about a supply chain compromise, an issue with malicious chips or hardware modifications when acquiring Elemental," end quote.
Dave Bittner: [00:04:21] Amazon also told news outlets in France that, quote, "at no time past or present have we ever found any issues relating to modified hardware or malicious chips in Super Micro motherboards in any Elemental or Amazon systems," end quote. Apple wrote, quote, "on this, we can be very clear. Apple has never found malicious chips, hardware manipulations or vulnerabilities purposely planted in any server," quote. Super Micro said, quote, "we remain unaware of any such investigation," end quote.
Dave Bittner: [00:04:54] For its part, the Chinese government deflected direct questions about what did or did not find its way into Super Micro hardware, issuing a pious statement about logistics that said in part, quote, "supply chain safety in cyberspace is an issue of common concern, and China is also a victim," quote. No comment from the FBI or the office of the director of national intelligence.
Dave Bittner: [00:05:16] But Bloomberg is standing by its story. Its notes on sources are interesting and worth quoting - quote, "six current and former senior national security officials who, in conversations that began during the Obama administration and continued under the Trump administration, detailed the discovery of the chips in the government's investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon. The official and one of the insiders also described Amazon's cooperation with the government investigation.
Dave Bittner: [00:05:51] In addition to the three Apple insiders, 4 of the 6 U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Super Micro's hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive and, in some cases, classified nature of the information," end quote.
Dave Bittner: [00:06:12] Concerns about supply chain hacking with malicious hardware have worried U.S. government policy advisers for more than 10 years, with studies from Sandia National Laboratories and elsewhere pointing out the potential threat. That threat may have been realized. President Trump and his administration have made no secret of their concerns about Chinese hardware in the supply chain and have made that hardware a focus of trade sanctions with the confident hope that manufacturers will move to other suppliers.
Dave Bittner: [00:06:43] Switching gears a bit to more routine protection of data, it's widely understood that it's important to have plans in place for the possibility or eventuality of a serious data breach. We spoke with Oussama El-Hilali from Arcserve, who offers his thoughts on proper continuity and disaster recovery preparation.
Oussama El-Hilali: [00:07:02] Well, quite often, what we see is that organizations will either not protect all of their data, or may come into an approach where their - they think their - the data is protected. But often, the situation is that they have a third-party, you know, or they're putting the data in the cloud. And they're assuming that because the data is in the cloud, it's somehow backed up and protected and there's multiple copies of it.
Oussama El-Hilali: [00:07:29] And quite often, it's the inability to distinguish between what is critical and what is not so critical. Obviously, if you have files that are related to contracts or things that the frequency of accessibility is long - you know, it gets pulled once every seven years or once every two years, it's not like an application that has your email and your communication systems on them. So that qualification sometimes creates a problem for those organizations.
Dave Bittner: [00:08:03] What about the notion of people rehearsing their plans? Is that something where people don't often take it to the degree that they need to?
Oussama El-Hilali: [00:08:12] Yeah. That's a very, very good question, actually. Quite often, you know, people are backing up based on a policy that they have established. And the person who established the policy may have had, you know, a notion of how they want to recover the data. But they may leave, and the policy continues to execute on a regular basis. And then when a disaster happens or a need to recover some data happens, those assumptions that were made are no longer there.
Oussama El-Hilali: [00:08:40] So it is very, very important to kind of do that testing - multiple types of testing. For example, if I need a file or I need an email or a granular restore of a mailbox or a certain email, what is the process that I'm following? Quite often, we find that in - the more sophisticated users not only have a plan that they rehearse on a regular basis, but that plan is detailed to the point where it says, you know, here's the names. Here's the passwords. Here's how you access these systems. Here is how these systems are protected so that under most foreseeable circumstances, not only that task can be accomplished and the data can be restored, but also, if something unexpected happens, that can be remedied immediately, and the process continues.
Dave Bittner: [00:09:35] Now you all recently conducted this survey. You surveyed over 600 of your channel partners and other IT decision-makers. And you gathered some interesting data here. What can you share with us?
Oussama El-Hilali: [00:09:47] Yeah. So the survey indicated that half of our - of the people who were surveyed did not have a disaster plan in place. And those who do have a disaster plan in place, they don't regularly test it. I think it's the nature of, you know, human beings to become very, very complacent. And the nature of data protection is such that, if I have an experience that I cannot imagine, you know, the impact of it - but when you look at the numbers and you look at the potential loss of a business, especially in situations where you have a retail organization that has an application that accepts orders directly online from their customers. If that's down, that every second of downtime translates immediately on lost revenue.
Oussama El-Hilali: [00:10:34] Those are the type of situations where a disaster recovery plan has to exist, and quite frequent testing of that disaster recovery plan needs to happen. And the organization needs to know that it needs to estimate the amount of loss that - you know, per second, per minute, per hour, per day, et cetera.
Dave Bittner: [00:10:59] That's Oussama El-Hilali from Arcserve. The other major nation-state threat in the news today is Russia's GRU coming in for naming, shaming, expulsion and indictment in three Western countries. The GRU is also known as Fancy Bear and GU, although no one really calls them GU apart from Russian diplomats indulging some org chart misdirection during tendentious press conferences.
Dave Bittner: [00:11:26] The Netherlands has kicked out four GRU personnel after linking them to an attempted cyberattack on the Organization for the Prohibition for Chemical Weapons; that's the OPCW. They are the international agency investigating the Novichok attacks in Salisbury, England. Australia and the U.K. accuse the GRU, in some detail, of cyberattacks against the World Anti-Doping Agency, the WADA, the U.S. Democratic Party and others. Canada, which hosts the World Anti-Doping Agency in Montreal, joined in the condemnation, saying officially that it assessed with high confidence that the GRU was responsible for hacking WADA. It's worth noting that the attempts on WADA and OPCW appear to have been intended attacks on data integrity, altering, rather than stealing or destroying, information.
Dave Bittner: [00:12:16] And the U.S. Department of Justice today indicted seven GRU officers on charges related to the hacking of WADA and other organizations around the world. The indicted officers were all charged with conspiracy to access computers without authorization, wire fraud and money laundering for buying computer equipment with cryptocurrencies. Five were charged with aggregated identity theft. One was charged with wire fraud, specifically for engaging in spear-phishing. But who knows? Maybe they're just a bunch of sports nutrition enthusiasts.
Dave Bittner: [00:12:53] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:03] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, welcome back. We wanted to touch today on conferences, on trade shows and how to head into them. If it's something new to you, how to get the most out of it. What can you share with us?
Craig Williams: [00:14:19] I think security conferences are one of the best ways to get experience in this industry and definitely one of the best ways to learn from your peers. You know, I think a lot of people go into conferences nervous. And they're concerned about, you know, how will people accept me? Will I be able to, like, connect with people that are on my skill level? You know, am I going to be overwhelmed? And I think what it really comes down to is you've got to think about why people are there, right? How did most people get into security? It's curiosity, right?
Craig Williams: [00:14:46] Everyone's at these conferences because they're curious. They want to learn. They want to meet new people. They want to find people who have better ideas. They want to incorporate those better ideas. They want to share their good ideas. And so I think when it comes down to security conferences, really the first thing is just going in there and being willing to accept conversation from other people, right? Go in like you would going into a party. You know, go in there, and say hi to people. Say hi to people who you don't know. Say hi to people you do know. And just start talking to them about what you're working on, what you can share. What are they working on?
Craig Williams: [00:15:16] And obviously, if it's, you know, one like Defcon or a Black Hat, you should already go in knowing what talks you have to go to, right? I think - I think that's one of the mistakes people make sometimes, is they wait until they actually get at the conference. And then they pull out the agenda and try to figure out what they want to get into. But unfortunately, if it's a conference where you have to sign up in advance, you're going to end up missing a lot of the best talks. So it's always important.
Craig Williams: [00:15:37] Look at the agenda before you get there. When you walk in the door, make sure you start meeting the people you want to meet - because a lot of times, it's your opportunity to meet, you know, like, say, your hero - like somebody who wrote a security tool that you use every day. And you want to talk to them about it and ask them why they designed certain features certain ways. And so I think it's one of those situations where you've really got to be appreciative of the time you're going to have because let's be honest. We've all been at security conferences. And we've all overdone it.
Craig Williams: [00:16:04] So you've got to make sure on the first day, you hit what you want to hit 'cause on the second day, you might sleep in an extra hour or two.
Dave Bittner: [00:16:11] Hey, maybe - I've been known to do that myself. You know, I think you make an interesting point about introducing yourself to people and striking up conversations. It's certainly been my experience that most people are eager to talk about their work. You're rarely going to run into someone who either considers themselves, you know, too important to answer questions or to receive compliments from someone who admires what they do.
Craig Williams: [00:16:36] Yeah, you know, I think - I think a lot of people are nervous to approach someone that they've followed their work before. But in my experience, I've never had a negative reaction. And I've been doing this for 15 years, just going up to people who've been in this industry for 20 or 30 years and saying, hi, I'm blah. I love your work on blah. Tell me about it. Right?
Dave Bittner: [00:16:52] Right.
Craig Williams: [00:16:53] It's always well-received. And so I think, you know, in most cases - I'm sure there are times when it's not going to work out that well. But in most cases, I think if you put yourself out there and go in with a good attitude, you're going to have a really good time and learn a lot.
Dave Bittner: [00:17:04] I wonder too because I think sometimes - I wonder if there's a mismatch because if you - if you follow a lot of security folks in places like Twitter, there can be no shortage of snark. There can be no shortage of people kind of flexing their muscles and demonstrating just exactly how smart they are. But I think, like so many internet things, you know, people, when they're face to face, it might be a little bit different than when they're hiding or they're safe behind the comfort of that keyboard.
Craig Williams: [00:17:34] Yeah. And, you know, I don't even like to think of it like that. I think - I like to think of it in terms of they forget it's a person on the other end of the line, right? At Cisco, one of the things that we're really big on is video conferencing. And I've got to tell you, the difference between talking to someone over video and talking to someone on the phone is a hundred percent sometimes.
Craig Williams: [00:17:52] You know, there are some people that are too busy. They're not thinking about it. They're just shooting a reply across the internet. And it may come across as incredibly snarky and offensive. But then you call them, and you walk them through your thought process. And they're 180. They understand where you're coming from. They try to explain their position. And then everyone goes away a little bit smarter.
Craig Williams: [00:18:13] And so I think you're right. It can definitely come across that way. But I think face-to-face is a much better way to ensure that doesn't happen and to make sure that, you know, you just communicate everything. I mean, let's be honest. Some people - you know, one or two in our industry - they might have a little bit of an issue communicating certain things.
Dave Bittner: [00:18:27] (Laughter).
Craig Williams: [00:18:28] I think if you put them face to face, you really start reducing that. And you can really start, you know, having people make friends and get along.
Dave Bittner: [00:18:34] Yeah. It's good advice. Craig Williams, thanks for joining us. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:49] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence. Visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:16] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they are co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.