The CyberWire Daily Podcast 10.18.18
Ep 707 | 10.18.18

Looks like Comment Crew, but probably isn't. Facebook breached by spammers. Twitter's big troll trove. Router issues. Who dunnit to YouTube?


Dave Bittner: [00:00:03] A campaign reuses some of the old Comment Crew code, but McAfee researchers think it's not the same old Crew. Facebook thinks its big breach was the work of spammers, not spies. Twitter releases a trove of trolling and invites researchers to take a look. Researchers disclosed flaws in D-Link and Linksys routers. Ghost Squad says that they downed YouTube the other day, but who knows? And if YouTube does go down, please don't call 911.

Dave Bittner: [00:00:37] Time to take a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows.

Dave Bittner: [00:01:16] Want to learn more? Check out their newest research paper, entitled "Building a Threat Intelligence Platform." ThreatConnect surveyed more than 350 cybersecurity decision-makers nationwide. Research findings include best practices and the impact to businesses due to threat intelligence programs and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out the research paper, visit That's And we thank Threat Connect for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:03] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 18, 2018. Researchers at McAfee Advanced Threat Research report finding a hitherto unremarked data reconnaissance implant that's targeting Korean speakers. They're calling it Oceansalt, an homage to the earlier Seasalt implant that the old Chinese Comment Crew used back in 2010. Indeed, Oceansalt reuses code from Seasalt. The very prolific and busy Comment Crew, also known as APT1, is thought to have gone dormant since its exposure in 2013, but it would now seem to be back - only it doesn't seem to McAfee that this is in fact the familiar Comment Crew. There's code similarity. But on other grounds, the researchers conclude that this is a different actor.

Dave Bittner: [00:02:56] McAfee's report posits three possibilities, and they're commendably reticent about jumping to an attribution. Here are the possible scenarios they think most likely. First, it might be a code-sharing arrangement between what's left of Comment Crew and some other threat actor. Or it could be the case that a different group has gotten the Seasalt source code from someone who'd worked in the old Comment Crew. Or, finally, it could be a false flag operation with some unknown threat actor seeking to make it appear that China and North Korea were colluding in this campaign. The researchers do say that whoever wrote the code had at least a good working knowledge of the Korean language.

Dave Bittner: [00:03:36] Operations are thought to be closely targeted, with the implants distributed via two compromised sites based in South Korea and to be prospecting targets in Canada and the U.S. as well as in the Republic of Korea. The campaign infected its targets through spear phishing, the phish bait in most cases being malicious Excel files. It proceeded in five waves. The first wave targeted South Korean universities, the second, South Korean public infrastructure, and the third wave, the entire Inter-Korean Cooperation Fund. The fourth wave hit targets outside North Korea, mostly in the U.S. and Canada. And a fifth wave prospected American and South Korean organizations. The story is developing. In the meantime, see McAfee's report for details on what to look for.

Dave Bittner: [00:04:25] Many U.S. states aspire to become the Silicon Valley of cyber, and several of them have thriving startup communities. To mention just a few, there are thriving companies along Colorado's Front Range, in San Antonio, Texas, Huntsville, Ala., Atlanta, Ga., New York, N.Y., and Boston, Mass. What they tend to have in common are alpha customers, university researchers or venture capital. Sometimes they have all three.

Dave Bittner: [00:04:51] We're biased, however, in favor of Baltimore, and we think the Chesapeake already is the Silicon Valley of cyber. It has all three of these ingredients, including the biggest alpha customer of them all right next door to us at Fort Meade. And in the spirit of full disclosure, we're one of the hundreds of companies in Maryland's cyber sector, which also spills over into Virginia and even the District of Columbia. We produce this show from the studios at DataTribe, and we're pleased to acknowledge DataTribe as an investor. And today, we speak with DataTribe's Mike Janke, who's working to bring some of the startups who've cut their teeth on government work into the commercial space at Port Covington in Baltimore.

Mike Janke: [00:05:31] It's an opportunity where you coalesce the largest concentration of commercial cybersecurity companies. I liken it to this, Dave. Texas is where you drill to get oil. You don't go to Iowa to drill oil to try to compete with Texas. Why? Iowa doesn't have the oil. It's much like Maryland would not have much of a chance if it tried to become the financial epicenter of the world. That's New York City. Maryland has the largest body of cyber and cyber-trained experts in the world by far. You have the NSA, CYBERCOM, DISA and 30 other classified federal organizations on cyber. New York doesn't have that. Texas doesn't have that. California doesn't have that. So much like the oil's in Texas, all the talent is here.

Dave Bittner: [00:06:28] And is that talent a result of the proximity to government? Is it universities? Is it research and development? What caused that, you know, natural resource, if you will, to spring up here and not somewhere else?

Mike Janke: [00:06:41] It's because of all of those, Dave. You have, obviously, the classified agencies that have hundreds of billions of dollars of funding - NSA, CYBERCOM, DISA, Applied Physics Lab, so on and so forth. But Maryland, for the first time, passed California in 2017 for graduating the most computer science, cyber engineer-related graduates in the country. And what you have now is you have this massive nation-state-trained cyber computer science force that's fighting the Russians, the Chinese, the Iranians from the offensive side. You have the largest university system graduating computer and cyber engineers. And now you begin to build this commercial ecosystem. This is why we're building Cyber Town, USA, right outside of Baltimore in Port Covington.

Dave Bittner: [00:07:44] So in an interconnected world where we can be connected to anyone anywhere in the world with our mobile devices, with our computers - why is proximity important? Why putting everyone together in one place at a place like Port Covington - what are the advantages to that?

Mike Janke: [00:07:59] That's a great question. In this area, the average age of, let's say, an experienced seven-year cybersecurity expert coming out of the NSA or CYBERCOM is about 31. Right? In Silicon Valley, it's about 23. So they may have a husband, kids, a wife, a home. And so it's very, very hard for them to uproot and move to - you know, take the train to New York or California. The other part of that is - right now in Maryland, there are over 260 cybersecurity firms and startups, but they're spread all over. So Port Covington is very unique. It is about 230 acres on the water - raw - where Under Armour put its headquarters. The other part of it that is unique that's never found anywhere in the world: it is the only place - the only small city, if you will - that has its own hardened fiber optic cable that they control. It's not controlled by city, state or county.

Mike Janke: [00:09:15] So all those components aligning - where on Day 1, as the buildings are going up, there will be between 30 and 40 commercial cybersecurity firms moved in. So Maryland and Baltimore itself have given the largest tax incentive fund in the country at $600 and something million for this area. Then you couple in the secure hardened infrastructure from Day 1. So in the world of cybersecurity, there really is a war going on to actually be the flag in the ground that says this is the commercial cyber hub of the world. But again, you don't drill for oil in Iowa, and that's the advantage of Maryland. And I'm a transplant. But the reason I'm here as an investor and startup builder - this is where the talent is.

Dave Bittner: [00:10:13] That's Mike Janke from DataTribe.

Dave Bittner: [00:10:17] Facebook has concluded that the breach it recently sustained was the work of criminal spammers and not a nation-state's intelligence service. The spammers appear to have been interested in using the data stolen from 30 million individuals to increase their revenue from bogus advertising. And of course, the data lost in the Facebook breach can certainly be used to craft more convincing social engineering attacks. Be on the qui vive when you answer the phone or look at your email.

Dave Bittner: [00:10:45] Twitter has released a trove of Russian tweets issued at the time of the U.K.'s Brexit vote. The sock puppets were for it, which will probably come as no surprise since sock puppets tend to think political change is in itself a good thing. The surge in pro-Brexit tweets occurred on June 23, 2016, the day of the Brexit vote. The troll farmers had as many as 3,800 bogus Twitter accounts. And they tweeted out some 1,100 posts with the hashtag #ReasonsToLeaveEU. What effect the tweets had on the voting is of course unclear. Twitter's release includes more than just pro-Brexit trolling. The company has also released inauthentic Twitter activity targeting U.S. voting, Russian domestic issues and so on. The hope, Twitter CEO Dorsey says, is that researchers will find the material useful.

Dave Bittner: [00:11:38] Iranian operators have been using fake social media persona in relatively ineffectual attempts at influencing U.S. elections. The Atlantic Council's Digital Forensic Research Lab notes that the Iranian effort was much smaller than the information operations mounted from Russia. One difference between the two approaches seems to have been that the Iranian operators were more focused on achieving specific shifts in public opinion. The Russian approach was opportunistic, which in this case paradoxically means it was more sophisticated. Their goal seems to have been simple disruption and increase in their adversary's friction. It's easier to throw sand in the gears than it is to direct an engine.

Dave Bittner: [00:12:21] Researchers at Poland's Silesian University of Technology have found remote code execution vulnerabilities in D-Link routers. SecurityWeek's report says no fixes appear to be available. And a different set of routers have also been discovered to be vulnerable. Cisco Talos researchers have found flaws in Linksys E-Series routers. But in this case, there are patches available.

Dave Bittner: [00:12:46] NBC News sends GCHQ's National Cybersecurity Centre a mash note saying the U.S. has nothing like it and should copy it. We're fans of the NCSC, but perhaps NBC is overlooking the Department of Homeland Security's National Protection and Programs Directorate. NPPD fills a similar role - not identical but similar. And it's being tested during the current midterm election season.

Dave Bittner: [00:13:14] And finally, from our slacker desk comes this particular nugget. Make of it what you will. If you are among the many disappointed idlers who found they couldn't watch PewDiePie on YouTube for about an hour Tuesday, well, maybe there's an explanation. The skids at Ghost Squad are Twittering that they're the ones who took down YouTube. That's Ghost Squad, the hacker losers, not Ghost Squad, the first-person shooter or "Ghost Squad," the online TV show. Our slacker desk hastens to clarify a confusion we didn't have the heart to tell them we never really suffered. The report comes from The Sun which says the tweet said, quote, "YouTube downed by Ghost Squad hackers," end quote. And it even came with four hashtags #GSH, #GhostSquadHackers, #YouTubeDown and #DownedByGCH (ph). So there you go.

Dave Bittner: [00:14:03] But YouTube's now been up for some time, whether the outage was a hack or a glitch. Our favorite reaction to the incident came from the Philadelphia Police Department which tweeted - yes, our YouTube is down, too. No, please don't call 911. We can't fix it.

Dave Bittner: [00:14:25] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:15:25] And joining me once again is Dr. Charles Clancy. He's the executive director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We had an interesting article come by. This was from Avionics Today. And the article was discussing cognitive electronic warfare. It was titled "Radio Frequency Spectrum Meets Machine Learning." This is something that is up your alley. Can you describe to us what's going on here?

Charles Clancy: [00:15:52] So over the last 10 years, we've seen a shift in the cognitive radio ecosystem. So if you're familiar with cognitive radio, it's this idea that we could put artificial intelligence behind a software-defined radio. And that artificial intelligence can better control the radio, make it work better in the environment, particularly in the face of interference or jammers or noise. You can look at the flip side of that. And it says, well, what if we put artificial intelligence behind a jammer? How might it be able to outwit the cognition that's behind the cognitive radio?

Charles Clancy: [00:16:26] So over the last 10 years, we've had sort of three different communities develop. You have the cognitive radio community that's trying to build the wireless devices that can outwit things in their RF environment. We've also seen the cognitive radar community come into existence with radar systems that are increasingly sophisticated and intelligent and able to work around different sources of interference or jamming in the environment - and then cognitive jammers that are trying to outwit the AI that's in the adversary systems. This is sort of leading to this interesting AI arms race in the electromagnetic battle space where you've got jammers and radars and communication systems all sort of trying to get into each other's head and figure out what the other ones and to do next.

Dave Bittner: [00:17:17] Do any of them have any sort of lead over the others?

Charles Clancy: [00:17:21] Well, first, there's some - just because of the RF environment, it's a really, really hard problem.

Dave Bittner: [00:17:28] Yeah.

Charles Clancy: [00:17:28] You can imagine, there's noise; there's distortion; there's multipath. There's all kinds of effects in the RF environment that make it difficult to know exactly what the other person's doing. It's like - I don't know - trying to play chess against someone but you're not able to directly observe the chessboard. You can only sometimes see a blurry version of the chessboard, and you have to try and infer what their strategy is.

Charles Clancy: [00:17:52] So it makes a really interesting - of course, from a university perspective, it's a really interesting research problem. How much information can you actually glean about an adversary through noisy observations through the RF environment? But then there's a lot of real practical applications within a lot of these military systems.

Dave Bittner: [00:18:10] Now, are these the sorts of things that we could find eventually trickling down to consumer devices?

Charles Clancy: [00:18:16] Certainly the cognitive radio technology we've seen for the past 20 years really beginning to increasingly influence Wi-Fi and cellular technologies. As far as the jammers - of course, it's still illegal operate a jammer in the United States...

Dave Bittner: [00:18:31] Right, right.

Charles Clancy: [00:18:31] ...Under the Communications Act of 1934 - so hopefully not.


Dave Bittner: [00:18:36] Yeah. All right. Well, it's interesting stuff as always. Dr. Charles Clancy, thanks for joining us.

Charles Clancy: [00:18:42] Thanks a lot.

Dave Bittner: [00:18:46] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:18:54] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor; we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:12] And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:21] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.