The CyberWire Daily Podcast 1.5.16

Dave Bittner: [00:00:03:13] Mounting evidence of a Russian cyberattack on Ukraine's power grid; the hunt for Jihadi John; activist response to recent Saudi executions; and we talk with The CyberWire's editor about the latest in power grid hacking.

Dave Bittner: [00:00:18:00] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly-skilled professionals in the field of information security, assurance and privacy. Learn more online at: isi.jhu.edu.

Dave Bittner: [00:00:39:16] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, January 5th, 2016.

Dave Bittner: [00:00:46:08] Late December's cyber attack on a Ukrainian electrical utility, has been linked to a variant of the BlackEnergy Trojan, long disseminated by the "SandWorm" threat actors. The attack produced rolling blackouts in Western Ukraine but ESET researchers believe the operation sought to affect a much wider area than a single oblast. They found the malware in at least two other utilities' networks.

Dave Bittner: [00:01:08:03] The attack was accompanied by a flood of calls to utility support centers, effectively distracting responders through misdirection, and some telephony denial of service. BlackEnergy includes modules that establish persistence and can, if so desired, destroy files.

Dave Bittner: [00:01:23:06] Ukraine's SBU security service unambiguously blames Russia for the operation (the Kremlin has not commented) and Western observers tend to agree.

Dave Bittner: [00:01:31:19] The nature of the hack, the ongoing tension between Ukraine and Russia and the absence of an obvious criminal motive strongly suggests state activity. Coming after revelation of Iranian reconnaissance of a small New York State dam's control system, this attack heightens concerns about the cyber vulnerabilities of physical infrastructure.

Dave Bittner: [00:01:49:07] Observers are calling the attack on Ukraine's electrical utilities the first case of the physical effects they have long predicted and long feared.

Dave Bittner: [00:01:57:24] Hackers DDoS the Saudi Ministry of Defense to protest a leading Shiite cleric's execution. Iranian media, generally sympathetic to protesters, says the hackers are Saudi Shiites.

Dave Bittner: [00:02:08:04] As authorities hunt for Jihadi John, the latest murderous online face of ISIS, the case for Daesh's effective use of crypto increasing strikes observers as weak.

Dave Bittner: [00:02:19:22] PlayStation succumbed to a DDoS attack last night, responsibility claimed again by the PhantomSquad skids.

Dave Bittner: [00:02:26:14] Emsisoft finds new Java-based ransomware, "Ransom32". It is evasive and works across several operating systems.

Dave Bittner: [00:02:34:12] Cisco discloses, on the basis of research by Synacktiv, that Jabber is vulnerable to man-in-the-middle attacks. No patch or workarounds are yet available, so use it with caution.

Dave Bittner: [00:02:46:15] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at: digitalharbor.org.

Dave Bittner: [00:03:06:08] And I'm joined by John Petrik, who's the editor of The CyberWire. John, ever since 9/11 we've heard warnings of threats to our infrastructure. In the past week or so we've seen a couple of threats to infrastructure around the world, the situation with the dam in New York State which we'll get to in a minute, but I'm particularly interested in the attack of the power plants that happened in Ukraine. What can you tell us about that?

John Petrik: [00:03:28:09] I think the first thing to say is that we need to keep this in perspective. As the defense intellectual Peter W. Singer's fond of pointing out, we have orders of magnitude more squirrel-induced power failures than we do cyber attack-induced power failures, so we need to keep it in perspective.

Dave Bittner: [00:03:43:07] So what exactly happened in Ukraine?

John Petrik: [00:03:45:24] At the end of December, right around Christmas, the region around the western Ukrainian city of Ivano-Frankivsk started experiencing rolling blackouts. It's now come to light, as announced by the Ukrainian security services, that this was a cyber attack, that the rolling blackouts were caused by a cyber attack that the Ukrainians claimed was mounted by Russian authorities, by Russian security services, and they apparently did that by installing malware called BlackEnergy.

John Petrik: [00:04:13:04] Now, the BlackEnergy malware has been fairly well known since about 2007, but it's interesting because this time it's being used to install problems with control systems. It is, by the way, a problem with the grid, with the power distribution system, not a destructive physical attack on power generation itself but rather with power distribution. So this is interesting and troubling for a couple of reasons, mainly because you have someone who is finally using a cyber attack to bring about a real physical effect, that is, blackouts in a power grid.

Dave Bittner: [00:04:44:19] So what else can you tell me about this BlackEnergy malware?

John Petrik: [00:04:48:02] It's got a few capabilities. One of the more interesting ones is that it is capable of destroying files, that apparently it looks for files with certain extensions; you can just select the file extension and it will destroy those files.

Dave Bittner: [00:05:00:09] Did this attack occur in isolation?

John Petrik: [00:05:02:19] No, there were some other things that were going on, and you often find certain forms of activity being conducted in conjunction with cyberattacks as a form of what magicians would call misdirections, or as a form of what military technicians would call a feint. So, in this case, you had the, while the attack was going on, a very large number of telephone calls being made to the service centers of the affected Ukrainian utilities, and these had the effect of pulling responders away from the actual problem that was going on within the grid itself.

Dave Bittner: [00:05:34:17] So let's talk about the dam in New York State. It doesn't seem like there's any direct relation between the two of them. It's just a coincidence that these two attacks happened within about a week of each other?

John Petrik: [00:05:45:05] It is a coincidence that the New York State incident, and by the way, that's a very small dam, so that we're not talking about a hydro-electric power generating station, we're talking about the kind of small dam on a small stream that's used for flood control, something like that. That the Rye, New York is a town in Westchester county. It's on Long Island Sound. It's got this sluggish stream running through it. The dam is there to prevent flooding, a fairly old dam, very small. So, what's disturbing about that is that it showed that, in this case, apparently Iranian authorities, Iranian operators were able to get access to the control system of that dam. Now that's a very minor thing and not a very dangerous thing, but it's troubling on two levels. One, that they could do it and two, that apparently the federal authorities who found out about it didn't properly share the information with the people in Westchester county who were cooperating with them in information sharing.

Dave Bittner: [00:06:38:05] Alright. John Petrik, once again thanks for joining us.

Dave Bittner: [00:06:43:15] And that's The CyberWire for Tuesday, January 5th, 2016. For links to all of this week's stories, along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International and our editor is John Petrik. Thanks for listening.