The CyberWire Daily Podcast 3.27.19
Ep 809 | 3.27.19

State cyber-espionage. Influence operations and coordinated inauthenticity. Add Lucky Elephant to the menagerie. ASUS supply chain updates. Notes on Norsk Hydro’s recovery. Reactions to the Mueller Report.


Dave Bittner: [00:00:04:01] The Spanish Defense Ministry is reportedly hacked. The Lazarus Group’s life of crime. Facebook takes down “coordinated inauthenticity”. Add Lucky Elephant to the bad actor menagerie, it’s harvesting credentials in South Asia. We've got notes on the ASUS supply chain back door, updates on Norsk Hydro’s recovery from its LockerGoga infestation and Russia says, "Hey, the Mueller Report totally exonerates us, too!"

Dave Bittner: [00:00:35:23] Now, a moment to tell you about our sponsor, ThreatConnect. Designed by analysts, but built for the entire team, ThreatConnect's intelligence driven security operations platform is the only solution available today, with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations, to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, drive by workflows, you'll dramatically improve the effectiveness of every member of the team. Wanna learn more? Check out their newest e-book, SOAR Platforms, everything you need to know about security, orchestration, automation and response. The book talks about intelligence drive orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:47:15] From the CyberWire Studios at DataTribe, I'm Dave Bittner, with your CyberWire summary for Wednesday, March 27th, 2019.

Dave Bittner: [00:01:56:01] The Spanish Defense Ministry’s intranet has been affected by what is thought to be a cyber espionage attack aiming at stealing defense secrets. That's according to Reuters, since the Ministry itself has been tight-lipped about the incident, but sources say that an unspecified nation-state is thought to be behind the activity.

Dave Bittner: [00:02:14:09] North Korean hackers are again in the news, with the Lazarus Group or associated actors continuing their efforts to redress the DPRK’s financial shortfalls by theft and fraud. The UN panel of experts has finally reported on the looting of ATMs belonging to the Pune-based Cosmos Cooperative Bank last year. The thieves got the equivalent of about 13 and-a-half million US dollars in the campaign, which extended beyond India to 27 other countries. The UN panel concluded that the theft was motivated by Pyongyang.

Dave Bittner: [00:02:51:19] The India Times says that the Pune Police and the Maharashtra Cyber Cell have made a dozen arrests, but haven’t yet identified the mastermind behind the looting. Whoever the masterminds were, they’re more likely to be found in Shinanju than in Pune.

Dave Bittner: [00:03:08:07] Kaspersky Lab has been tracking the Lazarus Group’s evolving approach to cybercrime, and they think various tech startups, particularly those involved with cryptocurrency, are now more heavily represented than before on Pyongyang’s target list. The Lazarus Group is said to be using custom PowerShell scripts, with command-and-control server scripts often disguised as WordPress files. Any immunity Mac users may have felt to the ministrations of DPRK hackers is no longer well-founded. The crooks know that a lot of tech startups are Mac shops. And they haven’t forgotten about you Windows users, either.

Dave Bittner: [00:03:47:11] Facebook has closed some 2600 accounts for coordinated inauthentic behavior, that is, for illegitimate political influence operations. The accounts were based in Russia, Kosovo, Iran, and Macedonia. The accounts from Iran for the most part addressed audiences in Egypt, India, Indonesia, Israel, Italy, Kazakhstan and various other places in the Middle East and North Africa. Facebook says that these actors, “represented themselves as locals and made-up media entities, often using fake accounts and they impersonated real political groups and media organizations.” Their posts usually amplified material being pushed by Iranian state media, with takes on Indo-Pakistani tension, Israeli-Palestinian conflict, fighting in Yemen and Syria, various Islamic religious topics, and the ongoing crisis in Venezuela.

Dave Bittner: [00:04:41:19] The accounts based in Russia for the most part had to do with Ukraine, allegations of corruption in Kiev, and the general righteousness of Russian claims to Crimea.

Dave Bittner: [00:04:52:14] The Balkan outfits in Kosovo and North Macedonia were mostly interested in representing themselves as members of American and Australian groups. Their topics were more anodyne, along the lines of what one might read in a grocery store check-out line, astrology, celebrity news, beauty tips, and political gossip. That choice of topics might be consistent with longer-term battlespace prep, attracting followers who could be pumped with sunshine and swampwater at some appropriate later time.

Dave Bittner: [00:05:23:01] In any case, the takedown is more evidence that finding and checking inauthenticity might be an easier and more beneficial approach to influence operations than direct content moderation. After all, you wouldn’t want to take down celebrity gossip, right?

Dave Bittner: [00:05:39:19] NETSCOUT describes an ongoing credential-harvesting campaign that appears to be prospecting, for the most part, South Asian governments. They call it Lucky Elephant, and say that, “the attackers masquerade as legitimate entities such as foreign government, telecommunications, and military.” NETSCOUT researchers haven’t observed any malware associated with Lucky Elephant so far, and so its activities appear at this stage to be concentrating on credentials. The targets include agencies in Pakistan, Bangladesh, Nepal, Sri Lanka, the Maldives, and Myanmar. Circumstantial evidence that might bear on attribution is too ambiguous to make a tentative call, but one of the IP addresses used, NETSCOUT says, was used by the now apparently defunct Indian APT DoNot Team, one of the credential harvesting domains that had been earlier attributed to a Chinese government actor.

Dave Bittner: [00:06:37:10] Verizon recently released the 2019 version of their annual mobile security index. The report surveys data from nearly 700 industry professionals to discover trends in mobile security and data use. Matthew Montgomery is a managing director in the Verizon business group.

Matthew Montgomery: [00:06:53:18] Last year's report, from my perspective, was somewhat of an ah-ha. We had many briefings with customers and we would be talking about their wire line cyber security, you know, framework and we would then ask those questions about how are you securing the edge? How are you ensuring that, since more work may get done on a tablet than your laptop, how are you ensuring that that tablet has the same level of security? And I think the report in '18 really referenced that, and it was an ah-ha moment that the big thing out of the '18 report was that more people, more organizations, were nervous about using access to their device, versus data breaches, which to me was astounding, meaning work now was being done on a mobile phone and tablet level that the business continuity component was huge, I think like 80% or something.

Matthew Montgomery: [00:07:48:00] So, this used data really continued to follow the same trend, so nothing really new. We did take a couple of steps back, in that we expected, since we had, you know, we had outlined and showcased some of the risks that these companies were facing, we expected them to take more aggressive action, and in some cases they haven't. But really, the key findings is, I'd call it, the mobile threat is real. We've seen about 70% were less confident in their own security around mobile devices and, frankly, about 70% feel that the risk has also grown, year over year. So, affirmation back from our customers. And the impacts were serious, that, you know, we're up about 5% over the year, in terms of organizations admitting a compromise on, via mobile device and I think it was around 60% or so described that breach or compromise as major and it had lasting repercussions.

Matthew Montgomery: [00:08:47:24] It's interesting to note there's a Fortune - I read this over the weekend - there's a Fortune article out there that talks about the risk to small businesses now and, you know, more and more small businesses are doing their business from a mobile perspective. They're using payment technologies that are attached to tablets, and how a simple breach could really destroy their business. I think our data spoke to that, the whole idea of employee misuse, it really kind of stood out to me. 37% were confident they could spot employee misuse, while 95% of organizations that had employees, they admitted accessing things like adult content, gambling, inappropriate areas, they felt like they had the right profiles and security, yet the involvement of public WiFi, grew year over year.

Matthew Montgomery: [00:09:36:21] So, just the acknowledgment of the threat, the actions they're taking to mitigate the threat, yet we're still seeing the growth of the threat increase on the mobile side. So again, you know, a little bit more work to do, I think, on the organizational side, but certainly the analysis and understanding of the findings that the report had, as well as the gaps in mitigation techniques that are in place.

Dave Bittner: [00:10:00:02] Now, are you seeing an alignment where, when folks are recognizing that this is a growing threat, are they also increasing their funding and their spending on that side as well, or is there a gap there also?

Matthew Montgomery: [00:10:13:01] Well, that's a great question. And about 70% said their mobile security spending was increasing, year over year. So, of the respondents, you know, we see the growth in mobile spending, so they are doing that. But then, when you dig below the lines, okay, so, yes, "I'm going to spend more money, I may add threat detection, I may do something more aggressive with my container, I may add more training for my employees about changing passwords and not using public hot spots and things like that," only 12% had four of the most basic precautions in place and that was down year over year. I mean, so yes, they're increasing their spending, yet only 12% had the four, and those basic things are like encryption, obviously, stress testing your security profiles and restricting access. You know, that's really simple common cyber security, you know, hygiene, even things like changing default passwords. So, year over year, those four basic precautions actually went down, yet the dichotomy is about 70% said they were increasing their mobile spending.

Dave Bittner: [00:11:22:17] That's Matthew Montgomery from Verizon. The report is the Mobile Security Index Report for 2019.

Dave Bittner: [00:11:31:20] Norsk Hydro has largely returned to normal operations, after last week's LockerGoga ransomware attack. Production in its Extruded Solutions division, one of the most affected by the attack, had yesterday reached 70% to 80% of normal capacity. The company is headquartered in Norway, but operates internationally, and the attack disrupted operations in many places around the world.

Dave Bittner: [00:11:54:11] Secondary attacks, whether opportunistic or planned, remain a concern. Norsk Hydro warns against spoofs, urging anyone receiving an email that appears to be from Norsk should contact the company before taking any action the email might suggest. There seemed to be some emails going out to customers, partners, and suppliers, suggesting that they change their banking information. Norsk says you should ignore these requests; the aluminum manufacturer is sending out no such requests. Bogus communications could represent attempts to either spread the ransomware or defraud third parties through social engineering.

Dave Bittner: [00:12:32:03] And finally, Russian reaction to the US Attorney General’s letter to Congress, outlining the conclusions of Special Counsel Mueller’s investigation into election interference has generally been muted, but Moscow’s been offering more of its opinions at midweek. Foreign Policy magazine has a discussion of the Russian take on the Special Counsel's investigation, and they say that the Kremlin, too, is claiming exoneration. But Moscow does so, one must observe, with far less justice than President Trump. The report the Attorney General rendered to Congress explicitly calls out Russian influence operations, and the Special Counsel's work resulted in indictment of twelve Russian intelligence officers, which hardly looks like exoneration. We’re not lawyers, but we’ve seen TV, and “Extradite me if you can, Yankee,” seems a pretty weak defense, but, hey, innocent until proven guilty, right?

Dave Bittner: [00:13:25:08] In the meantime, if you’re made a career in the Internet Research Agency, think twice before honeymooning in the Maldives, or changing planes in, say, Guam. Pro travel tip, Chelyabinsk is lovely this time of year.

Dave Bittner: [00:13:44:21] And now, a word from our sponsor, KnowBe4. Email is still the number one attack vector the bad guys use, with a whopping 91% of cyber attacks beginning with fishing. But email hacking is much more than fishing and launching malware. Find out how to protect your organization with an on demand webinar by Roger A Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through ten incredible ways you can be hacked by email and how to stop the bad guys, and he also shares a hacking demo by KnowBe4's chief hacking officer, Kevin Mitnick. So check out the ten incredible ways, including how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind click jacking and web beacons and how to defend against all of these. Go to slash ten ways to watch the webinar. That's and we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:15:04:22] And joining me once again is Emily Wilson; she's the VP of Research at Turbium Labs. You recently wrote a piece for the next web and you were focusing on data collection here. Can you take us through, what were you getting at?

Emily Wilson: [00:15:17:12] This article came out of a conversation I was having with someone right after one of the many Facebook data breaches a few months ago, or, you know, news of misuse - some are breaches, some are just negligence. When someone asked me, what could somebody have done to avoid this happening, or what could people do going forward to avoid being caught up on breaches. And I made a joke, right, you know, "They could not use Facebook, but they're not going to do that." Because we get into situations with things like Facebook, or these other tech giants, where you can't really opt out. Now, this is certainly true for things like financial services. If you want to transact in the economy, you have to participate in the economy and so that's true for financial data. If you want to have a line of credit, if you want to have money, short of finding a bartering system where you're trading precious metals in exchange for dry goods, you have to give your information to financial services. But we've extended that now, we've gotten to the point now where it isn't just financial services where you are forced to share data, or you are required to share data. Facebook has become this behemoth organization that, for better or for worse - and we would say for worse in most cases - is the best way that people have to connect with their friends and family around the world.

Dave Bittner: [00:16:50:08] Right.

Emily Wilson: [00:16:51:12] Social media has become something people expect. They expect you to have social media accounts, they expect you to have email addresses. There's all of the convenience of shopping online, so there's more information there. You're not going to stop using e-commerce platforms, so there's more information, there's information being spread there. We think about things like entertainment services, whether you're sharing your information with a video streaming site, or with your cable provider. Again, you're opting into sharing your data there. And none of these companies, none of them have, you know, robust ethical, transparent data sharing practices.

Dave Bittner: [00:17:31:15] Yeah, well, it seems like the non option option they give you is, either we're going to share your data, or don't use our service.

Emily Wilson: [00:17:41:12] That's what it comes down to. And you're lucky if you get that much from them. You know, we see stories, it feels like every other week now, of some company being sued, because they were sharing information. I just saw the Weather Channel is being sued, because their app, they were sharing information with IBM and others in their partnership network. And they come out and say, you know, in defense of their practices, "Well, you agreed to the user agreement, you checked the box in the privacy policy and we're very clear about the fact that we're doing this," and no one's reading all 18 pages of those. There's some expectation that if you share your information with a company, they are going to use it, to provide you the service that you have signed up for and that's the end of it. But that's not happening because, again, data is a commodity, it's valuable. It's being monetized and not just by cyber criminals. You know, it's being monetized in the mainstream economy, it's fuel for the economy, and companies don't want you to focus on that, because they require your data to make more money.

Dave Bittner: [00:18:47:04] Yeah, well, is it all doom and gloom? I mean, are we looking at pushes to maybe right this ship and get us going in the right direction?

Emily Wilson: [00:18:55:11] I'm certainly not an optimist in this camp. I am, at best, a pragmatist. The one thing that I have, that I'm holding onto and I mention this in the article, is that we are all in this together. So, because everyone is opting in, everyone is required to opt in, that means that no-one is opting out. So it's not just you and me, it's politicians, it's world leaders, it's influential figures, it's people with resources, it's people who are also being hit by this and the point at which one of them is unhappy and decides to devote resources to making it better, then we might see a change. But, of course, that also relies on those people deciding that data privacy is more important than profit and I'm skeptical that that's going to happen.

Dave Bittner: [00:19:47:19] Well, the article has the sunny title, Depressing Lessons 2018's Endless Data Breaches taught us, and it is over on the Next Web. Emily Wilson, thanks for joining us.

Dave Bittner: [00:20:03:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:20:15:21] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiban; technical editor, Chris Russell. Our staff writer is Tim Nodar; executive editor, Peter Kilpey and I'm Dave Bittner. Thanks for listening.