The CyberWire Daily Podcast 1.25.19
Ep 767 | 1.25.19

Glitches, not attacks or takedowns. Tracing Gray Energy and Zebrocy back to their servers. US Army tactical cyber operations. Venezuela crisis. Bellingcat and OSINT. Roger Stone arrested.


Dave Bittner: [00:00:03] Two potential cyberattacks now look like glitches instead. Gray Energy and Zebrocy look as though they're close enough to be, if not the same threat actor, at least first cousins. The U.S. Army pushes significant cybercapability to a tactical level. Venezuela's crisis may provide the next occasion for Russian information operations. We'll look at how Bellingcat exposes info operations. Special counsel Mueller secures the indictment and arrest of Roger Stone. Author P.W. Singer joins us to discuss his book "LikeWar: The Weaponization of Social Media." And leave the Nest alone.

Dave Bittner: [00:00:47] And now a word from our sponsor KnowBe4. You know, email is still the no. 1 attack vector the bad guys use with a whopping 91 percent of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to to watch the webinar. That's And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:01:57] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 25, 2019.

Dave Bittner: [00:02:05] Two apparent or at least potential cyberattacks or government actions that surfaced this week now appear to be the result of technical glitches. In what's by far the larger of the two, Microsoft's Bing search engine was blocked in China yesterday, which prompted speculation in many quarters that this amounted to another brick in the great firewall, a repost in a sharpening Sino-American trade war and so on. But Bloomberg reports that service has been restored and that the outage was due to a technical mistake. Redmond itself has been quiet about the incident, saying only that service was back and that such things do happen.

Dave Bittner: [00:02:45] The second incident - a widespread outage of the Criminal Justice Secure Email, widely used by barristers in Wales and England - has now been determined by the Ministry of Justice to have been an accident - a glitch - and not the result of a cyberattack. The system went down a week ago. And a number of trials have been delayed. Full restoration is expected next week. But the system has, of today, partially recovered.

Dave Bittner: [00:03:12] Kaspersky reports that Russian threat actors Gray Energy and Zebrocy, one of the GRU group Fancy Bear's paws, share tools and techniques. Grey Energy is generally regarded as the successor to Black Energy, best known for its role in attacks that took down geographically confined but still significant sections of Ukraine's power grid. Zebrocy, seen as an avatar of Sofacy, has mostly been active in government networks around Europe, the Middle East and Asia.

Dave Bittner: [00:03:42] Kaspersky has found that the groups use the same servers at the same times and serviced some of the same targets. The story is an interesting one in that it illustrates some of the difficulty in fixing the identity of threat actors, even after one has glimpsed them. It's not quite metaphysics except in so far as org charts have a metaphysical tendency. But it does suggest, again, that attribution and tracking of threat actors is a complicated matter.

Dave Bittner: [00:04:11] Military cyber-operational capabilities are fast developing into tactical realities. The U.S. Army is establishing two organizations built around the 17th and 41st field artillery brigades to, as Breaking Defense puts it, hack, jam, sense and shoot. Hacking and jamming increasingly go together as cyber operations and electronic warfare continue to converge. Sensing is a natural and necessary for both electronic and kinetic attack. The shooting would be done, for the most part, by rockets, specifically HIMARS - High Mobility Artillery Rocket Systems. The hacking and jamming would be the work of battalion strength intelligence, information, cyber, electronic warfare and space detachments, one per brigade, inevitably to be known by their acronym I2CEWS.

Dave Bittner: [00:05:02] The organizations are a serious sign that the U.S., at least, is prepared to delegate significant cybercapability down to surprisingly low tactical levels. One of the new detachments is now operational with the 17th Field Artillery Brigade at combined Base Lewis-McChord in Washington state. The other is destined for the 41st Field Artillery Brigade, formerly the Babenhausen but now re-established at Grafenwoehr, Germany. These are by no means the national assets one usually thinks of when considering cybercapabilities. And when you get to Graf, cyber warriors, bring your galoshes. The mud there is famous.

Dave Bittner: [00:05:44] Since information campaigns can be expected to follow great power and regional tensions, watch Venezuela. Russia has warned the U.S. against military intervention in the failed Chavista state, NBC News reports. Venezuela is Russia's strategic partner, Deputy Foreign Minister Ryabkov said. And deposition of President Maduro, quote, "would shake the foundations of the development model which we see in Latin America," end quote.

Dave Bittner: [00:06:12] The U.S., joined by the U.K. and others, has expressed strong support for opposition leader Juan Guaido's constitutional claim to an acting presidency. The U.S. has expressed its intention to put as much diplomatic and economic pressure as it can on President Maduro's regime, widely regarded as having retained power fraudulently. There's little evidence of interest in Washington's part on military intervention. But Moscow squints and says it can see it. It's striking that Russian statements find much to praise in Venezuela's development model.

Dave Bittner: [00:06:49] Bellingcat seems to have had success in countering Moscow's and others' information operations. Foreign Policy interviews the citizen journalists who got their initial funding through a Kickstarter campaign and discusses how they were able to geolocate ISIS demonstrators, expose the GRU agents behind the Novichok attacks in Salisbury and point out that alleged gun camera footage showing U.S. atrocities in the Middle East was actually just screenshots from a first-person shooter game. Bellingcat has done some very nice work with open-source intelligence. And their founder, Eliot Higgins, points out the core challenge of anyone involved in such work.

Dave Bittner: [00:07:28] Higgins says, quote, "getting a balance between being obsessive enough and not also crazy is rather difficult," end quote. It can also be difficult to get open-source intelligence - OSINT - taken seriously since there's a perennial temptation among many - and intelligence professionals are no different - to confuse cost with value. And OSINT can be a bargain.

Dave Bittner: [00:07:53] Microsoft President Bradley Smith (ph) is again urging the U.S. to publicly adhere to the Paris call for norms with respect to conduct in cyberspace. If official statements from Paris and Lille over the last week and a half are any indication, the Paris call may be more operationally supple than the earnest executives from Redmond may wish.

Dave Bittner: [00:08:15] The FBI arrested Roger Stone, former adviser to U.S. President Trump, in Florida early this morning, pursuant to an indictment obtained by special counsel Robert Mueller. Mr. Stone has been charged with seven process crimes, including obstruction of an official proceeding, witness tampering and five counts of making false statements. The indictment doesn't allege that he conspired with WikiLeaks, Julian Assange or others, as the president notes, but rather that he was not candid about his interest in learning about whatever dirt they may have had on the Clinton campaign.

Dave Bittner: [00:08:50] Finally, a person who goes by the nom de hack SydeFX - that's side effects spelled S-Y-D-E-F-X - has been using credential-stuffing attacks to take over Nest home security systems. He's asked his victims or rather - as Mr. FX would put it, since he sees himself as a white hat - those he's helping to realize that their systems aren't so secure to subscribe to - wait for it - PewDiePie on the YouTube. Again with the PewDiePie - Mr. FX told Motherboard he's been doing this so he can land a job as an ethical hacker and, presumably, to provide a public benefit.

Dave Bittner: [00:09:29] Kids, look. If you want to be an ethical hacker, start with the ethical part. That little, inner Jiminy Cricket will probably tell you, oh, not to force your way into uncooperating systems or to scare them by talking to them through their home monitors.

Dave Bittner: [00:09:49] And now a word from our sponsor Coalfire. When organizations stand up new services or move existing applications to the cloud, they need to coordinate IT security efforts with business units and partners. So the question arises. Is security the cloud platform provider's responsibility or is it the customer's responsibility? To answer that data security question, you must clearly articulate who owns what, Identify security gaps and determine who will close those gaps. With the HITRUST shared responsibility program, there's now a clear path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of HITRUST CSF certifications since 2011. And they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the HITRUST cloud assessor at That's And we thank Coalfire for sponsoring our show.

Dave Bittner: [00:11:12] And joining me once again is Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. I saw some stories pop up - actually, a little bit of controversy here about AT&T announcing that - I guess, more of a marketing campaign than anything else. They're releasing some technology - some upgrades to their network that they're calling 5G Evolution. It's caused some folks to raise some eyebrows here. Can you shed some light on it? What's going on here?

Charles Clancy: [00:11:44] Sure. In fact, notably, T-Mobile released a video on Twitter, showing - taking a sticker that said 9G and putting it in the upper corner of one of their phones...

Dave Bittner: [00:11:57] (Laughter).

Charles Clancy: [00:11:57] ...As a jab at AT&T's...

Dave Bittner: [00:11:59] Right.

Charles Clancy: [00:11:59] ...5G Evolution.

Dave Bittner: [00:12:00] Yeah.

Charles Clancy: [00:12:02] So any time there's a new generation of cellphone technology, there's a big marketing campaign to try and - each carrier trying to outflank each other in the media. We saw the same thing with the transition from 3G to 4G, where you had commercials for both AT&T and Verizon, both indicating they offered the nation's strongest or fastest or most coverage at 4G.

Charles Clancy: [00:12:27] And at the time, Verizon had upgraded their 3G network to make it have speeds approaching 4G. Meanwhile, AT&T had begun deploying actual LTE technology, and that's why we have the differentiation between 4G and 4G LTE. Essentially, we're seeing the same thing now with 5G. 5G is - there's an actual standard.

Dave Bittner: [00:12:51] Right, right.

Charles Clancy: [00:12:52] It's called New Radio. So 5G New Radio is the actual signaling format. It's about 50 percent faster than the 4G signaling. But you can still use the same 4G signaling, but with many of the features of 5G, where you would basically be able to band together multiple chunks of spectrum in order to get the data rates higher.

Charles Clancy: [00:13:09] So essentially, what AT&T is offering is, under pristine conditions, you could see 5G speeds on this network, but it's really all built out of 4G building blocks.

Dave Bittner: [00:13:20] I see. And so the notion here is that we'll start seeing some phones that have that 5G logo up in the corner, despite the fact that the underpinnings are still going to be 4G technology?

Charles Clancy: [00:13:32] So that's a good question. In fact, the carriers, last time around, went to the ITU, which is part of the U.N., and actually had the definition of 4G changed so that they could legally call it 4G. We actually saw the same thing with 3G technology, where GSM EDGE service was reclassified as a 3G technology, even though it was based on 2G, and it was specifically to try and meet those marketing criteria.

Charles Clancy: [00:14:00] And the ITU actually sets these thresholds. So it'll be interesting to see if the ITU is willing to call this 5G and whether this is something that then becomes more ubiquitous. But it's all really part of this incremental change and upgrade of technologies that, ultimately, is going to lead to nationwide 5G.

Dave Bittner: [00:14:18] Yeah. So buyer beware. Just make sure what you think you're getting is what you're actually going to be getting out there.

Charles Clancy: [00:14:24] And keep in mind that, right now, there is no production 5G service. There's a lot of trials underway, and I expect that within the first half of 2019, we'll start to see real 5G commercial service. But it's not quite there yet.

Dave Bittner: [00:14:38] All right, Dr. Charles Clancy, thanks for joining us.

Charles Clancy: [00:14:40] Thanks a lot.

Dave Bittner: [00:14:45] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all-image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report, "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:15:45] My guest today is Peter W. Singer. He's a strategist at New America and author of the book "LikeWar: The Weaponization of Social Media," along with his co-author Emerson Brooking. Mr. Singer is author of a number of books on both conventional and cyberwarfare and was named one of the Top 100 Most Influential People in Defense Issues by Defense News. He joined us from his office in Washington, D.C.

Peter W. Singer: [00:16:10] So we started this project almost five years ago. And there was a series of seemingly, you know, kind of new break points, but actually, now, in retrospect, they signified a new normal. And they were everything from - for example, you had the first, what was called, Twitter war that played out, where Israel and Hamas had one of their sort of regular conflicts. And there was a series of days of airstrikes and the like, and it kind of ended inconclusively on the ground.

Peter W. Singer: [00:16:42] But alongside it, for the first time, you had these online, what we now call battles, but basically debates going back-and-forth as to what was happening - literally millions of messages. And what was interesting about it was not just that you had these messages going back-and-forth but that the vast majority of the messages claiming what was happening on the ground, who was in the right and wrong were being pushed by people physically outside the region.

Peter W. Singer: [00:17:11] And what was even more notable than the fact that, you know, you could, for example, weigh in on this conflict even though you might be, you know, checking Twitter on the subway on the way to work is that, actually, the ebb and flow of the conflict had real-world consequences. They later found that, essentially, whichever side was winning, so to speak, in the trends online, it shaped the both pace and location of the airstrikes by over 50 percent. What was essentially happening is that the Israeli generals and politicians were watching the maps, but also watching their Twitter feed, which now, of course, you know, seems normal.

Peter W. Singer: [00:17:54] Another example about five years back was we had a group of terrorists seize a shopping mall in Kenya. And the government tried to shut down communication and reporting about what was happening. And the result was that the terrorists, who were on social media, became the primary source for the world on their act of terrorism. So actually, we fed into the very goal of terrorism, which is, you know, to drive the message, and it's to drive fear viral. But what was, again, interesting is the terrorists realized that because they own the narrative, they also didn't have to tell the truth online.

Peter W. Singer: [00:18:34] You know, again, sort of a seemingly obvious realization, but, you know, this is where we're at. And then finally, you had a policy change in the U.S. military, which allowed deploying service members to Afghanistan to use Facebook and Twitter.

Peter W. Singer: [00:18:53] And so for the first time, you had people in the battlefield able to friend their enemy. And in turn, their enemy, the Taliban, could not just friend and stalk and track and communicate with them but could equally reach out and connect to, you know, everything from family members, friends, journalists back home. You name it. And so you had this kind of connection point. And so all these things were a spark for us to start the book project. And then we started to explore, essentially, how social media was being used in war zones around the world.

Peter W. Singer: [00:19:25] But very quickly, that widened. If you're looking at, for instance, Iraq and Syria, the rise of ISIS becomes a story of terrorism. If you're looking at terrorism, you have a cross with things like the drug war in Mexico. And we started to look at how drug cartels were using it. Then we began to look at - hold it - Chicago gangs. If you're looking at how it was used in places like Russia and Ukraine, very quickly, it moved into American domestic politics.

Peter W. Singer: [00:19:54] And so the project was, essentially, trying to explore just what's going on here in this new form of online conflict that, as we talk about it, is not about hacking of computers on the network - you know, sort of the classic definition of cyberwar - but rather hacking the people on social networks by driving ideas viral - what we call a like war.

Dave Bittner: [00:20:19] Yeah, there's no shortage of, you know, breathless reporting and headlines that these networks are going to be the end of us. It's going to lead to the downfall of democracy and, you know, the way we communicate. And our freedoms are at risk. Do you think that there's something to that? I guess, what I'm getting at is, how accurate do you think those warnings are? How concerned should we be as we head forward?

Peter W. Singer: [00:20:48] It's a technology that can be used for massive good and massive evil - guess what? - like every other technology in the past. So if you think of, for instance, the radio, Goebbels talked about how - his rough quote was, we - this is talking about the rise of the Nazi party. The top propagandist of it said, we couldn't have done it without the radio.

Peter W. Singer: [00:21:17] Of course, the radio also allowed FDR's famous fireside chats that mobilized the free world against the Nazis. The radio also created new forms of shared entertainment. So we've been through these kind of, you know, sea changes before. What we need to recognize is social media is on that level. And we've seen it empower new actors who've used it for evil and for good.

Peter W. Singer: [00:21:50] A couple of things, though, that are important about that - the first is, I think, right now we feel so negative about it largely because of how positive we felt about it just a couple years ago. You know, just a couple years ago, there was this just crazy level of techno-optimism. You know, it was everything from the Arab Spring and, oh, social media has a, quote, "liberating power" and, you know, dictatorships are on their way out to - you know, Facebook has a motto that it's pushing out that back then, it's meant as a positive.

Peter W. Singer: [00:22:30] Now it feels kind of creepy, where they're pushing, quote, "the more we connect, the better it gets." Think about that, you know, now, how that sounds. No, the more we connect, the more we connect. And, you know, we've seen the good and the bad of it.

Peter W. Singer: [00:22:45] But you had this kind of crazy level of techno-optimism. And now we're feeling sort of the second side of it. The other aspect is that, essentially, part of why it feels so bad is that we've not understood these new rules of the game. And so, you know, essentially, the bad actors, whether it's, you know, Russian disinformation warriors to trolls and conspiracy theorists, they've been the ones that have understood these rules. And so they've been manipulating their way into a level of success that they wouldn't have otherwise achieved.

Peter W. Singer: [00:23:17] And so it's up to us to learn these new rules to be able to push back against it. And that's what the book project was about is trying to help us all understand, you know, what are these rules of the game?

Dave Bittner: [00:23:31] That's Peter W. Singer. He's author of the book "LikeWar: The Weaponization of Social Media" along with his co-author Emerson Brooking. There is a lot more to our conversation. You can find it over on our Patreon page. That's

Dave Bittner: [00:23:51] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:24:04] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion on the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.

Dave Bittner: [00:24:19] And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:24:32] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.