The CyberWire Daily Podcast 12.20.18
Ep 749 | 12.20.18

US indicts two Stone Panda operators amid ongoing international concern over Chinese IP theft. Suspicious customer support traffic on Twitter. Emergency IE patch. Influence experiment.


Dave Bittner: [00:00:03] The U.S. has indicted two hackers working for China's Ministry of State Security. U.S. and allies are said to be planning a joint response to China's industrial espionage. Twitter sees suspicious customer support traffic. Microsoft issues an emergency patch for Internet Explorer. Facebook continues to struggle with transparency. New Knowledge's CEO acknowledges a questionable experiment in social media manipulation. And news flash - the Russian Embassy hack was brutal.

Dave Bittner: [00:00:40] Now a word from our sponsors Shape Security. Last year, 2.3 billion usernames and passwords were reported as compromised. It says everyone in America had passwords stolen for not just one but seven online accounts. And that's just the data reported last year. It can take years for a credentials spill to be reported if it's discovered at all. Why do these spills matter? Two words - credential stuffing. Attackers take those spilled usernames and passwords and try them on every login form imaginable. Because users recycle passwords, up to 3 percent of stolen credentials will be valid on a typical website or mobile app. Once they're in, attackers steal whatever they can get from gift cards to frequent flyer miles. And it adds up. This year, credential stuffing will pull nearly $9 billion from our banking, travel and e-commerce accounts. But there's hope as consumers use unique passwords, as organizations join Shape Security's collective defense platform because together, we can defeat account takeovers. To learn more, visit That's And we thank Shape Security for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:01] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 20, 2018. This morning, the U.S. Justice Department unsealed yesterday's indictment of two Chinese hackers, Zhu Hua and Zhang Shilong, whom it connected with a long-running, extensive campaign by China's Ministry of State Security to steal intellectual property from at least 12 countries.

Dave Bittner: [00:02:26] Initial reactions regard the indictment as containing damning accusations against Beijing, especially longstanding and systematic violation of that government's undertakings to restrain itself with respect to industrial espionage. The condemnation appears to be international. The U.S. is expected to be joined by the U.K., Australia, Canada, Japan and Germany at least in an announcement of joint action against Chinese cyber-espionage.

Dave Bittner: [00:02:56] CrowdStrike's co-founder and CTO Dmitri Alperovitch commented in an email to us that, quote, "it is unprecedented and encouraging to see the U.S. government joined by so many international allies taking a decisive stance against Chinese state-sponsored economic espionage," quote. CrowdStrike has been among the security companies reporting what's generally regarded as a surge in Chinese industrial espionage. The scope of the Ministry of State Security's interests has been very wide. The sectors targeted include and aren't limited to biotechnology, defense and aerospace, mining, pharma, professional services and transportation.

Dave Bittner: [00:03:36] Alperovitch went on to praise the indictments as a significant step toward holding China responsible for cyber-espionage in the service of economic competition. He said, quote, "while this action alone will not likely solve the issue and companies in U.S., Canada, Europe, Australia and Japan will continue to be targeted by the Ministry of State Security for industrial espionage, it is an important element in raising the cost and isolating them internationally," end quote.

Dave Bittner: [00:04:05] The indictment says the two indicted men were members of APT10, the threat group also known as POTASSIUM, CVNX, MenuPass, Red Apollo and of course Stone Panda. China also remains under suspicion of being responsible for the breach of EU diplomatic cables. Beijing denies responsibility, as one would expect. Whoever was responsible seems to have accomplished their espionage through simple phishing.

Dave Bittner: [00:04:33] When you ponder which of the 50 states in the good old US of A is leading the pack in cybersecurity economic development, certainly California is among the usual suspects, along with New York, Texas and our personal favorite, Maryland. Sarah Tennant is strategic adviser for cyber initiatives for the Michigan Economic Development Corporation, and she makes the case that Michigan deserves a closer look.

Sarah Tennant: [00:04:58] So Michigan is the capital of the global automotive industry. So I'm sure when you think about Michigan, you think about automotive. But the future of automotive is mobility. And Michigan is really the place to be for business and researchers and entrepreneurs looking to shape the next transportation frontier. So a world of autonomous vehicle design and advanced manufacturing has to include cybersecurity. So cybersecurity has really become that focal point that is the umbrella that goes across all industries.

Dave Bittner: [00:05:26] And so one of the efforts that you all have spun up there - you have some new cyber ranges at Northern Michigan University and University of Michigan, Flint. What prompted these efforts?

Sarah Tennant: [00:05:38] Really this again was prompted by our governor's vision for the state. He created a cyber initiative in 2011 that had a vision of unclassified cyber range hubs where talent could train, test and really become that central focal point as a cyber resource in the state. So a cyber range hub - if you're not familiar with what a hub is, it's really a magnet site for the community that brings people, schools and employers together to be part of the cyber ecosystem. So the hub sites are really meant to host events, exercises and training classes where companies can access virtual infrastructure for product development, testing and demonstrations.

Dave Bittner: [00:06:21] So can you describe to us - what's the relationship between industry and government and the universities themselves? I suppose there's a lot of collaboration between the three.

Sarah Tennant: [00:06:31] There is. Cybersecurity really has to be a collaborative effort. And we recognize that early on. We can't do it without industry. We need to know what industry's needs are. So these hubs have industry's input. So we have advisory boards with the hubs that will bring in industry to let them know what their needs are. And industry can help to really define what happens in the hubs and what the needs are for them. And really, it becomes that talent pipeline for this industry as well.

Sarah Tennant: [00:07:01] We're talking about an industry - the cybersecurity industry is something that - while it has been around for a long time on the network side, the physical cybersecurity industry is a new and emerging market for Michigan. And we're looking to focus on that as well. And we need input from industry for what their needs are so that we can not only train upcoming talent but also the existing workforce needs. We can't wait 10 years for the kids in high school to come out of school. We have an immediate need now.

Dave Bittner: [00:07:32] Now, the work that you do with the Michigan Economic Development Corporation - how do you get the word out? What's the pitch that you make to startups to tell them, hey, Michigan is the place you want to be?

Sarah Tennant: [00:07:44] So what we talk about with startups is, if they are looking to get into that physical cyber system. So if they're looking to get into the mobility industry or aerospace or defense, they have access to the client in Michigan. So we have such a robust industry here. And it's a large industry, but it's a really small network. And we can get them connected with those big OEMs, both in defense and auto. So we really want them to be in a place where they have access. Michigan is the epicenter for automotive R&D and defense R&D.

Sarah Tennant: [00:08:18] So we want to - we have the ability to connect them with the people in industry that they need to be talking to about their products. What we really want to make people aware of is that Michigan really is a leader in cybersecurity. And we really are - we are thinking about cybersecurity in a very holistic way. While we promote collaboration for businesses, we're creating a robust talent pipeline. And if people are looking to get into the industry or bring their industry to a state, Michigan is the state to be.

Dave Bittner: [00:08:50] That's Sarah Tennant. She's from the Michigan Economic Development Corporation.

Dave Bittner: [00:08:56] Twitter observed a large volume of unusual traffic to its customer support site early this week. The social media company thinks it might be receiving some unwanted attention from potential hackers in either Saudi Arabia or China. The incident remains unclear, but it's clear enough for investors to have shied away from the company's stock.

Dave Bittner: [00:09:17] Late yesterday, Microsoft issued an out-of-band patch for an Internet Explorer vulnerability being actively exploited. It's a remote-code execution issue in the scripting engine's handling of objects in memory.

Dave Bittner: [00:09:31] Facebook continues to suffer from its long-running accretion of bad news. The access The New York Times reported that Facebook granted partners may have been less nefarious and less extensive than it sounded. Ars Technica looks at what Facebook said it actually shared and how and why and concludes that a lot of what The New York Times described seems to have amounted to application integration of the sort that few users would find objectionable. Unfortunately for Facebook, a lot of people are in a mood to dismiss Facebook's explanations as just so much logic chopping.

Dave Bittner: [00:10:06] The social network and its explanations did acknowledge a desire to deal more transparently with its users. Their response to the story said in part, quote, "still, we recognize that we've needed tighter management over how partners and developers can access information using our APIs. We're already in the process of reviewing all our APIs and the partners who can access them," end quote. But the Times story was damaging because it revealed that there was more sharing going on even after Facebook had told everybody they'd come completely clean about their practices post-Cambridge Analytica.

Dave Bittner: [00:10:41] This week's reports on Russian influence operations during recent U.S. elections hit with considerable eclat. One of the more insightful brief takes on them came from the grugq who blogged Monday, quote, "I think it just reveals that the Russians were another super PAC in the election. The only truly unique thing they brought to the table was the hacked emails and documents. That was special," end quote.

Dave Bittner: [00:11:06] How PAC-like the operations were is indicated by an admission that came, oddly enough, from the head of the company, New Knowledge, that produced one of the reports. Jonathon Morgan, New Knowledge CEO, said with expressions of an uneasy conscience that he had conducted an experiment in Alabama's closely contested special election for a Senate seat last year. Morgan says he created an inauthentic Facebook page to see whether he could do on a small scale what Russia's Internet Research Agency did on a larger scale.

Dave Bittner: [00:11:37] He also bought some retweets for less than 10 bucks, he said, to measure the lift he might achieve in social media messaging. He says it was too small an effort to have helped the Democratic candidate who, in any case, lost to his Republican opponent. Almost a thought experiment, quotes him as saying. We'd like to offer some clarity here. If you do the experiment, it's no longer a thought experiment. But that aside, Morgan says that now, in hindsight, he probably shouldn't have done it.

Dave Bittner: [00:12:08] It's an interesting question. University researchers have found themselves wrapped up in comparably murky studies conducted online. There's, so far, no obvious internet equivalent of a medical center's human subjects research review board or none that we know of. Perhaps the community might give the matter some thought.

Dave Bittner: [00:12:26] RT complains that the Russian Embassy in London was subjected to a brutal hack earlier this week. Apparently, its press webpages were rendered inaccessible for a period of time. The hack, RT and the embassy hint darkly, appears to have been mounted from somewhere within Great Britain. If nothing else, the complaint shows some elasticity in the foreign ministry's understanding of the meaning of brutality. A few hours of downtime - that's brutal. But Novichok nerve agent left around town - come on. That's just the kind of stuff any sports enthusiast would have in their kitchen - right? - between the protein powder and the creatine. Sure, maybe your local GCN doesn't carry Novichok but brutal - nothing to see here. Move on.

Dave Bittner: [00:13:16] It's time to tell you about our sponsor, If you're a longtime listener, you've probably heard me mention on the CyberWire before. In fact, when I was a guest on another cybersecurity podcast, was my pick of the week one week for something that everybody should check out. And here's why - Privacy lets you buy things online using virtual card numbers instead of using your real ones. Think about it. You don't use the same password everywhere, so why would you use the same card number everywhere when you shop online? What's great is that it's super-fast and easy to use. gives you a brand-new virtual card number for every purchase you make with just one click. And we've got a special offer for CyberWire listeners. New customers will get $5 for a limited time to spend on your first purchase - 5 bucks, free money. So go to and sign up now. That's And we thank for sponsoring our show.

Dave Bittner: [00:14:23] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks, and he also heads up Unit 42. That's their threat intelligence team. Rick, it's great to have you back. As we record this, we are heading into the holidays. I don't know about you, but I am ready for a long winter's nap.


Dave Bittner: [00:14:41] And one of the things you wanted to check in with was maybe a way to kickback, sit in front of the fire perhaps with an adult beverage in your hand and enjoy a good read. What do you have to recommend for us this year?

Rick Howard: [00:14:52] Exactly. That's what we should be doing - a little downtime going into the...

Dave Bittner: [00:14:56] Yep.

Rick Howard: [00:14:56] ...Holidays. It's time for family and loved ones and a little relaxation - an escape, shall we say, from the hustle and bustle of the year.

Dave Bittner: [00:15:03] Yes.

Rick Howard: [00:15:04] And what better way to idle away that time - is to curl up with a good book. You know I'm a big fan of reading...

Dave Bittner: [00:15:09] Sure.

Rick Howard: [00:15:09] ...Cybersecurity books, especially from my Cybersecurity Canon project. Now...

Dave Bittner: [00:15:13] Right.

Rick Howard: [00:15:14] So the first book I want to recommend is William Gibson's 1984 landmark novel called "Neuromancer." Have you heard of this before?

Dave Bittner: [00:15:23] I am familiar with it. I haven't read it, but I certainly know of it.

Rick Howard: [00:15:26] Well, it's really fabulous - just the history of it. For not being a geek or a cyber anything, Gibson invented and clarified our cybersecurity language 10 years before it became mainstream. He coined words like cyberspace. He launched the cyberpunk genre. He pontificated about a sci-fi trope called the singularity. He guessed correctly that hacktivism would be a thing and understood that we would all need some sort of search engine long before any of us knew how vital Google and other similar services would become. He received multiple book awards for this one and is often quoted as having one of the best ever opening novel lines, and here it is. (Reading) The sky above the port was the color of television tuned to a dead channel. Yeah. That's fantastic stuff.

Dave Bittner: [00:16:14] Yeah.

Rick Howard: [00:16:15] So the main "Neuromancer" character is Case. He's a world-class hacker cowboy. He - and Gibson refers to all hackers as cowboys in the book. And he's kind of fallen from grace. He ends up joining a misfit team. The leader Armitage - kind of an ex-military person. There's an assassin, Molly, a beautiful cyborg. The techie Finn - he's the prototype scrounger. You know, he gets all the stuff they need to do their missions. And the mentalist Peter - a psychopathic mind bender. All right, so - and the reader is never really sure what the team's ultimate objective is until close to the end of the story.

Rick Howard: [00:16:49] But along the way, we get plenty of kung fu between the assassin and every bad guy we meet, lovemaking between the hacker and the assassin and a verbal description of what it means to hack that is eerily similar to how modern computer games - gamers play today. Here's the thing. What is not to like about this? Why would the cybersecurity geeks of the world love a story where the loser hacker can win the girl...

Dave Bittner: [00:17:10] (Laughter).

Rick Howard: [00:17:10] ...Act for a greater good, be critical to a super ninja's purpose and ultimately be the hero of the story? All right. So the cyberpunk elements make the story fun, but the hacking, copulating, jutsuing (ph) elements make the story short. And at least for a geek like me, it's fantastic. So...

Dave Bittner: [00:17:26] (Laughter) Right. Escapist fantasy - right, Rick?

Rick Howard: [00:17:26] That's exactly why I'm in cyber.


Dave Bittner: [00:17:26] OK.

Rick Howard: [00:17:32] All right. That's book one.

Dave Bittner: [00:17:34] Yeah.

Rick Howard: [00:17:34] Second book - OK, and this is my favorite hacker novel of all time, all right? And I know that's a big, bold statement. But I will defend it to the death. It is Neal Stephenson's 1990 novel called "Cryptonomicon." The story revolves around a multigenerational family, a dot-com family in the '90s and a family in World War II. But the story has everything in it - gold treasure hunt, World War II commando raids, code breaking at Bletchley Park, the importance of Dungeons & Dragons to people like me, you know, jaw-dropping complexities of 20th century banking, the necessity and procedures for getting the correct ratio of milk to Cap'n Crunch kernels in your morning cereal.

Dave Bittner: [00:18:15] (Laughter).

Rick Howard: [00:18:16] This is an important thing for geeks.

Dave Bittner: [00:18:18] (Laughter).

Rick Howard: [00:18:18] The horrors experienced by soldiers and civilians in the Philippines during World War II and the significance of cryptological systems in our state-of-the-art world - not to mention two love stories and a glimpse at some interesting historical figures like Lieutenant Ronald Reagan, Alan Turing and General MacArthur. All right. And as you might expect, this is a dense read. So this is not a novel you're going to get through in a weekend.

Rick Howard: [00:18:42] But one of Stephenson's great gifts is his ability to juggle many seemingly unrelated and interesting characters within a story and then surprise the reader about how they all are connected at the end. So "Cryptonomicon" is packed with ideas. Take your time with it. Savor the journey, though, and find your favorite parts. And like I said, it is my favorite hacker novel of all time. And you should've read it by now.

Dave Bittner: [00:19:02] Good recommendations. And at least one of these you can sit by that fire and relax and enjoy your winter break. So Rick Howard, thanks for joining us.

Rick Howard: [00:19:13] Thank you, sir.

Dave Bittner: [00:19:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.