Update on supply chain seeding reports. GRU comes in for more criticism. UK prepares cyber retaliatory capability. Power grid resilience. Panda Banker. Google's good and bad news.

Dave Bittner: [00:00:03] Bloomberg's report of a Chinese seeding attack on the IT hardware supply chain comes in for skepticism. But Bloomberg stands by and adds to its reporting. Everyone is seeing Russia's GRU everywhere, and Russia feels aggrieved by the accusations. The U.K. prepares a retaliatory cyber capability. The U.S. looks to grid security. Cylance describes Panda Banker. And Google had a good day in U.K. courts Monday but a bad day elsewhere.

Dave Bittner: [00:00:39] And now a word from our sponsor, Wombat. When it comes to security, it doesn't matter how deep your moat is or how high your castle walls are if an unaware employee lowers the drawbridge for cybercriminals. Ninety percent of attacks now start with phishing and social engineering to gain access to systems and data. So educating your employees to spot and defend against these threats is more crucial than ever. Wombat Security, a division of Proofpoint, is the leading provider of information security awareness and training software designed to educate your employees to identify social engineering and protect your organization. Through phishing simulation and knowledge assessments, Wombat paints a picture of where your employees are vulnerable and changes their risky behaviors through highly effective interactive training. Born from research conducted at Carnegie Mellon University, Wombat's suite of training covers topics from phishing and social engineering to physical and office security and even compliance topics like GDPR. And now through an integration with Proofpoint's world-class threat intelligence, Wombat is leading the way with phishing simulations and content based on the latest emerging threats. Don't let cybercriminals into your castle. Transform your employees from risky to ready with Wombat Security. To learn more, visit wombatsecurity.com/cyberwire. That's wombatsecurity.com/cyberwire. And we thank Wombat for sponsoring our show.

Dave Bittner: [00:02:10] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:14] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 9, 2018.

Dave Bittner: [00:02:22] Bloomberg's report of Chinese hardware seeding attacks on the IT supply chain received more skeptical criticism over the long holiday weekend. Both Apple and Amazon quickly denied the report as soon as it was published. And their denials were specific and unambiguous. On Friday, the U.K.'s National Cybersecurity Centre said it had no reason to doubt Apple's and Amazon's assessments. On Saturday, the U.S. Department of Homeland Security agreed. They said, quote, "like our partners in the U.K., at this time, we have no reason to doubt the statements from the companies named in the story," end quote.

Dave Bittner: [00:03:00] Bloomberg's story said that the incident was under government investigation. But DHS - and for that matter, GCHQ - each deny investigating the issue. There are, of course, other agencies who might investigate. The hardware security expert cited by name in the Bloomberg story, Joe Fitzpatrick, told the "Risky Business" podcast that the analysis he provided was more along the lines of this is what could happen, as opposed to this is what did happen. Fitzpatrick also said that he was uncomfortable with the story as published and that he told Bloomberg the account of the chips being used as a back door didn't make much sense to him.

Dave Bittner: [00:03:37] And an op-ed in CSO disputes the seeding attack story on grounds of a priori probability. Why, asks columnist Robert Grimes, would Chinese intelligence compromise the hardware supply chain when it was already enjoying general success in stealing intellectual property by conventional hacking? And why would they do so in a way bound to damage their own manufacturers' solid position in the market? We can think of several answers - poorly coordinated operations, the competing agency equities and attendant disagreement over tactics that appear in any government, simply folly or miscalculation or perhaps the basic animal tendency we all share of enjoying doing things we're capable of doing. But Grimes' point is worth considering. It does seem like an oddly conceived operation.

Dave Bittner: [00:04:27] For its part, Bloomberg is standing by its story. Late this morning, they published a follow-on, including on-the-record statements by experts at Sepio Systems, a Maryland-based security firm, to the effect that Sepio had indeed found the Chinese spy chips in systems belonging to one of Sepio's clients, a telecommunications company. Non-disclosure agreements preclude Sepio from saying who that client was. But they do say they found the hardware implant in a Super Micro component. The spy chip was found in the server's ethernet connector, they say. No one would seriously dispute that the kind of supply chain attack described by Bloomberg would be a nightmare, as The Daily Beast puts it. But whether the nightmare came true remains an open question. As Bruce Schneier pointed out in a Marketplace interview, the IT supply chain is probably irreversibly internationalized and couldn't be made otherwise without costs no one would reasonably be willing to pay.

Dave Bittner: [00:05:26] Germany has joined other nations in attributing widespread cyberattacks to Russia's GRU. That's APT28, also known as Fancy Bear. Latvia accused the same Russian agency of hacking its defense and other government networks. And Brazil is voicing concerns about Russian election influence operations. Russia continues to deny having done anything at all. And Moscow is calling in the Netherlands' ambassador to demand an explanation of why his government is saying bad things about the GRU. The GRU officers expelled from the Netherlands last week weren't, says Moscow, GRU officers at all, even if there were any such thing as the GRU. They were just tourists. We imagine them as being tulip and windmill aficionados.

Dave Bittner: [00:06:13] The U.K. continues to be justifiably upset about the Novichok attacks and Russia's accompanying information campaign about them. But the U.K.'s even more concerned, and has been for some time, about attacks on its critical infrastructure, especially power distribution systems. The Times of London and Quartz, among other news services, report that the U.K. is preparing a retaliatory capability against Russian cyberattacks. According to The Times, that capability is being tested in exercises. According to Quartz, the prospective target of the retaliation is the Russian power grid.

Dave Bittner: [00:06:49] The U.S. Department of Energy is also warning of the possibility of attacks on the grid with Secretary Perry suggesting last week that the threats range across the usual spectrum, from a kid in a parent's basement to a nation state espionage service. The department is investing in various R & D projects designed to increase grid resilience. They mention protecting alternative energy sources like wind turbines. And there's an evident interest in protecting turbines more generally considered.

Dave Bittner: [00:07:18] Last week's multinational accusations against Russia's GRU included, among many other particulars, an account of GRU hacking of Pittsburgh-based Westinghouse. Where reports discussed the Westinghouse intrusion, they made prominent mention of the company's work on nuclear reactors. The juxtaposition of cyberattack and nuclear is always scary enough. But it's worth placing this in the context of cyber threats to critical infrastructure and industrial processes more broadly considered. Phil Neray, VP of Industrial cybersecurity at CyberX, put it this way to us in an email. Quote, "almost buried in the indictment is a description of how the GRU hacked Pittsburgh-based Westinghouse, whose power plant designs are used in about half of the world's nuclear power plants.

Dave Bittner: [00:08:05] One of the motivations for this attack would be to steal sensitive design information about industrial control systems so that Russian threat actors could further compromise critical infrastructure in the West. This is pretty sobering, especially when you realize that the GRU is also responsible for unleashing NotPetya on the world, a destructive worm which has been called the most devastating cyberattack in history," end quote.

Dave Bittner: [00:08:29] Note the point about the threat of preparatory reconnaissance. We tend to think of hacks against industrial firms as having the theft of intellectual property as their goal. That's certainly been true enough, particularly with respect to Chinese industrial espionage. But there are other reasons to go after a company's files, and battle space preparation is one of them.

Dave Bittner: [00:08:50] Security firm Cylance today released their study of Panda Banker, the malware that's targeted bank accounts, credit cards and web wallets, mostly in the United States, Canada and Japan. It infects systems through API hooking, injecting its scripts into a target webpage in the victim's browser. Panda Banker's malware is notable for what Cylance calls heavy code obfuscation and multi-encryption layering. Upon installation, it checks for both sandboxing and manual analysis, looking for packet capture programs, debuggers, disassemblers and similar analytical tools.

Dave Bittner: [00:09:26] If it detects any of these, it exits and deletes itself from the victim's system. Panda Banker was first observed working against Japanese banks in March of this year. In August, Cylance observed it in action against other Japanese companies. There's no further attribution beyond the description of the threat actor. It is regarded as a variant of the familiar Zeus trojan, which suggests a criminal gang.

Dave Bittner: [00:09:51] As the week opened, Google was the subject of some good news and some bad news. First, the good news - good for Google. Yesterday in the U.K., the high court threw out a suit that could have cost Google 3.3 billion pounds. The suit concerned illegitimate data collection from Apple's Safari browser, the Safari workaround, between August 2011 and February 2012. Google has settled various U.S. claims over the same incident for a total of $39.5 million.

Dave Bittner: [00:10:23] And the bad news - Google announced yesterday that it would wind down its social network. Google Plus had been commercially disappointing. It was also leaky. The Wall Street Journal reports that Google Plus revealed user data to app developers without users' knowledge. The Journal says Google knew about the API issue in March but decided on legal advice that it wasn't, strictly speaking, obligated to disclose it. Mountain View feared regulatory scrutiny and reputational damage. Google has also said it wasn't able to find out enough about what had been or could have been affected by the API mishap to notify anyone, so individual notifications would have been effectively impossible.

Dave Bittner: [00:11:06] It's as if Sophocles has come to Silicon Valley. Just as exposing the infant Oedipus on a mountainside brought about the very disaster it was intended to avert, so too will legal maneuvering through regulatory loopholes probably bring about the closure of those loopholes, tighter regulation and more public odium.

Dave Bittner: [00:11:25] Well, maybe that's overstating things. We're not quite sure how far to push the analogy. But it does seem clear that Google will face increased scrutiny and that sentiment for national, as opposed to state-level, regulation of breach disclosure and data privacy matters will surge, at least for now. The demise of Google Plus may also have some implications for the antitrust scrutiny the social media sector is currently facing. Do network effects operate so strongly in the sector as to render single large incumbents effectively immune to challenge by competitors? If Google can't compete in that space, who can?

Dave Bittner: [00:12:12] And now a word from our sponsor. Who's that sponsor, you say? Well, it's none other than the mysterious team behind the spectacularly successful fake security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at fakesecurity.com/cyberwire. That's fakesecurity.com/cyberwire. And we thank whomever it is for sponsoring our show.

Dave Bittner: [00:13:06] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. Justin, we wanted to talk today about some of the methods that hackers are using to perform reconnaissance, to go through that system and see what's going on. What can you share with us?

Justin Harvey: [00:13:22] Well, what I can share with you is that the OSINT, the open-source intelligence network, the internet, all of the sources available to us today, are not making it any easier for us as defenders. It's only making it easy for the bad guys. Let's just take a few years ago, when adversaries could profile companies. They could take a domain name. They could plug it into a system. They could get not only who registered the domain name but all of the changes of people that have touched that domain information. They can list all of the hosts within that domain name, so you can see things like, do they call their email system email, or do they call it mail, or call it OWA or perhaps they call it outlook.domain.com?

Justin Harvey: [00:14:05] And that sort of discovery enables adversaries to then connect into a port scan across all of those systems. So let's take, for instance, vpn.domain.com. They're going to run a port scan versus that host. They're going to see that there's a commonly known VPN port that's there. They're going to connect to it. And in some cases, you can actually derive what VPN software and what version, and then of course run that against things like the National Vulnerability Database and see if that is vulnerable.

Justin Harvey: [00:14:36] But it doesn't stop there. That's old-school. That's the manual way. Today, there's websites like Shodan. And Shodan, its main purpose is to scan literally every IP address out in the internet today and to connect up to every one of those hosts and do a port scan, and then find the commonly understood protocols and also do some analysis or some analytics around that to see what's vulnerable. So if you wanted to see, for instance, for all of the publicly exposed webcams of this certain overseas vendor between version this and that running on this port, you could then go to Shodan and get a complete report about that. So it's getting even easier to profile organizations from a technical level.

Dave Bittner: [00:15:28] Now, what about this notion - I've heard organizations are using misdirection. So if someone comes in and tries to scan them, they'll see stuff that doesn't tell them the real story.

Justin Harvey: [00:15:40] So deception-based computing, things like honeypots or displaying false information, is certainly a means to throw off and to introduce a smokescreen to your adversaries. But let's not forget that many companies have to expose legitimate ports and services to their customers or to their partners. So while that may throw off the scent or mislead or misdirect potential adversaries, there's still quite a few ports and services that need to be exposed for an organization in order to do their normal course of business.

Dave Bittner: [00:16:21] OK. So that's the technical side of things. But what about the human side? What kind of stuff are they doing to get information on the people?

Justin Harvey: [00:16:27] Like all of us, when we're upset, or we want to contact the leadership of a company, we can go there. We can look at the About Us. We can look at the contact page. Perhaps we can even look at their board of directors and their C-Suite and their pictures. That gets us the name of the company officers. And even if a company is public and they don't publish that information, you can still get it through SEC filings, like their 10-K. So that gets you the listing of some of the top employees in the company. Then it's just a matter of inserting those names into things like Google, LinkedIn, Facebook, Instagram, Twitter, and you can derive a lot of insight and information.

Justin Harvey: [00:17:10] Let's say that you're profiling the CFO of an organization. And this woman, let's say that she - you search for her in Facebook, and there's not a whole lot in Facebook, but she did post that she and her son ran a 5K in the city that they live in. Well, now you know that this CFO has a son, and you know that she's an avid runner. Then let's go to LinkedIn, and let's search on her. And let's say you actually make a fake profile, which many of our adversaries do. Let's say it's someone from her alma mater, from her college. You connect up with her, and then you see her personal email address.

Justin Harvey: [00:17:48] Now you have who she is, basically where she lives. She has a son. She's a runner. She ran a race. You have her personal email address. That's enough to craft a specifically targeted phish to her on her personal email address. Perhaps it's an attachment. Perhaps you want her to click on a link, and now you've got her. So even in a worst-case scenario, let's say that that CFO reads that email and clicks the link, but she does it from her work computer. Now you've even been able to compromise someone on the inside. And if they click that phishing link from her personal email address, now you've also circumvented all of the email security and email controls, and you're within her browser. So adversaries - this is straight out of the book of what most of our adversaries are doing on a day-to-day basis.

Dave Bittner: [00:18:38] Yeah. All right. Justin Harvey, thanks for joining us.

Justin Harvey: [00:18:42] Thank you, Dave.

Dave Bittner: [00:18:46] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:18:54] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:12] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.

Dave Bittner: [00:19:21] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.