The CyberWire Daily Podcast 4.17.19
Ep 824 | 4.17.19

Spearphishing from “Luhansk.” Pro-Assange hacktivism. Another undercover private eye? Pirated Game of Thrones episodes carry malware.


Dave Bittner: [00:00:03] A spear-phishing campaign against Ukraine has been traced to the so-called Luhansk People’s Republic. Anonymice threaten to reign chaos on Yorkshire if Julian Assange isn't freed - actually, more chaos, since the initial chaos was perhaps too easily overlooked. An implausible venture capitalist is asking people if they're being paid to bad-mouth a security firm. And pirated "Game of Thrones" episodes carry malware.

Dave Bittner: [00:00:34] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95 percent faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:32] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 17, 2019.

Dave Bittner: [00:01:40] Military officers in Ukraine are being spear-phished by a group seeking to install the RATVERMIN back door. RATVERMIN is a second-stage payload delivered by a PowerShell script. FireEye, which identified the campaign, links it to the Luhansk People’s Republic. This is a region in eastern Ukraine controlled by Russia and represented by the occupiers as being a breakaway state that's won its independence from Ukraine. Kiev regards Luhansk as nothing more than an administrative fig leaf for Russian occupation. Kiev probably has it right.

Dave Bittner: [00:02:15] The Washington Post sees the Luhansk operation as a troubling harbinger of small-state and nonstate actors deploying increasingly sophisticated cyberweapons. In this, they're following FireEye's lead. The company's John Hultquist told the Post that, quote, "we're focused on the big players, and for good reason. But we should bear in mind that if this small substate can put together a hacking capability, then anyone can," end quote. Maybe, but with hacking, as has so often been the case with kinetic terrorism, while there are genuine instances of attackers operating quite independently of other support, there are many more instances of attackers working deniably on behalf of a state. That's especially true with the more troublesome and damaging attacks.

Dave Bittner: [00:03:02] FireEye did say it found no evidence that the Luhansk group was being assisted by Russia. But here, that old chestnut that absence of evidence isn't the same thing as evidence of absence should be kept in mind. And to ask if the Luhansk People's Republic is receiving assistance from Russia is a little like wondering whether Google receives assistance from Alphabet. In both cases, they're wholly owned subsidiaries. So alternatively, this aspect of the campaign might be more realistically viewed as a Russian attempt to achieve plausible deniability and not as a small-group breakout into the big time.

Dave Bittner: [00:03:40] Here's an example of what looks like small-group activity. Contrast it with the sophistication of the RATVERMIN installation campaign. Supporters who wish to stand by Julian Assange are doing so by taking two Yorkshire councils' websites down. Presumably, the attacks on Barnsley and Bedale would prompt a groundswell of hacktivist pressure in favor of Mr. Assange's release. Barnsley Council said it had indeed sustained a distributed denial-of-service attack and that it had succeeded in restoring its website. The council also alerted the National Cyber Security Centre of the incident. The Bedale matters were a little different. The Bedale Town Council said it was unaware that anything had happened to its site, so go figure.

Dave Bittner: [00:04:26] Anywho, needless to say, someone has claimed responsibility for the incidents. Tweets from the Philippine Cyber Eagles and the Anonymous Espana both claimed credit. And CyberGhost404, thought to be the founder of both groups, if indeed these are groups in any meaningful sense, offered a menacing message - quote, "free Assange, or chaos is coming for you," end quote. So there.

Dave Bittner: [00:04:53] Why Yorkshire was chosen as the beachhead for this particular hacktivist invasion is unclear. In the case of Bedale, apparently nothing happened at all, unless, of course, that particular corner of North Yorkshire is ordinarily so chaotic that any new chaos that came for you - for them - was just lost in the sauce. But it looks like another hacktivist fizzle. And, of course, Mr. Assange remains in custody.

Dave Bittner: [00:05:17] But to return to the spear-phishing campaign in Ukraine, FireEye's Hultquist makes a good point later in his interview with the Post. He noted that Russia's hybrid war in Ukraine has been a kind of proving ground for attack tactics and techniques. The Post quotes Hultquist as saying, "it's created this consistent battle rhythm of activity that we'd never seen before," end quote. Russian cyber operators have a record of perfecting their method against Ukraine and then using them elsewhere, and that does seem beyond serious question. But as a sign of increased capability on the part of unrecognized microstates and others with axes to grind, we'll wait and see. If Sealand or the Republic of Awesome turn out the lights in North Yorkshire or change every high schooler's grades in Union County, N.J., that would be a different matter.

Dave Bittner: [00:06:07] Moody's Investors Service recently published research titled "Credit Implications of Cyberattacks Will Hinge on Long-Term Business Disruptions and Reputational Impacts." The report outlines which business sectors they believe have high-risk exposure to cyberattacks. Derek Vadala is managing director of global cyber risk for Moody's Investors Service.

Derek Vadala: [00:06:30] So we view cyber risk as event risk. And so we recognize that there are now these global cyber events which have real dollar-value impact. If you look back to 2017 and NotPetya, there is a view that that was about $10 billion of exposure across a number of different companies with about 2 1/2 billion really focused on just four companies.

Derek Vadala: [00:06:50] When you start to think about these kinds of very large financial impacts across individual companies, you can start to think about how that affects overall liquidity and other financial strength of those individual companies and how that could eventually have an impact on credit. And so that's the way we're thinking about it is these financial exposures due to cyber events can have a channel to credit at some point if they rise to a certain level.

Dave Bittner: [00:07:16] And have we reached the point where there's enough history with these sorts of things that we can make accurate predictions?

Derek Vadala: [00:07:22] I think we're still in the early days of being able to use historical event data to make predictions. But that's obviously something that a number of different industries, including the insurance industry, are very focused on. But the dataset that exists for this is not quite as long and rich as datasets, for example, on normal types of cat risk or, you know, other risks associated with, for example, weather events.

Derek Vadala: [00:07:47] We do think that this dataset is building over time. And it will get better over time. But there's still work to be done. For example, a lot of the datasets really focus in on breaches of privacy information because that's where a lot of the regulations exist. And the disclosure requirements around cyber events tend to focus today on breach of personal information. And that means that the datasets often are missing things like disruption events. Or maybe there are disruption events that occur, but they're not attributed to cyber events. And so in order for the datasets to improve, the disclosure has to improve, and it has to start to cover events beyond privacy-breach events.

Dave Bittner: [00:08:30] Now, the research covers some specific sectors that you all see as having a high risk of cyberattacks. Who are we focusing on here?

Derek Vadala: [00:08:40] Yeah. So when we did our analysis, what we came back with is that there are four sectors with about 12 trillion in rated debt that we thought were at a high risk. And these included the banks, securities firms and market infrastructures, you know, financial institutions, and also included hospitals. And some of the reason for that, for example, in the financial services side is the fact that these organizations are so reliant on technology and supply chain. Their transaction volumes are very, very high. And so the ability to do things like revert to manual processes in those industries is very, very limited. Hospitals, for example, have a lot of personal data. But more importantly, they're starting to become even more interconnected in terms of patient care, which obviously opens up a number of potential vulnerabilities that could affect patient care and impact patient health.

Derek Vadala: [00:09:38] I think one of the things that's important to point out here is we're really looking at the inherent risk across the 35 sectors that we evaluated. And we're not taking into account today individual defenses that an individual company might have. And that's important for us because what we're trying to do right now is really set a baseline across the playing field and come up with a relative ranking of inherent risk across sectors.

Dave Bittner: [00:10:02] That's Derek Vadala from Moody's Investors Service. The research is titled "Credit Implications of Cyberattacks Will Hinge on Long-Term Business Disruptions and Reputational Impacts."

Dave Bittner: [00:10:15] The Wipro hack may have targeted dozens of the company's clients. The company initially put a brave face on reports of the breach, pooh-poohing the first reports from KrebsOnSecurity during its recent earnings calls, but it now acknowledges that, yes, the attack did take place. It's bringing in an unnamed forensic company to help with its investigation. Several media reports have said that the incursion appears to be the work of a nation-state and that the targets were Wipro clients. The IT outsourcing and consulting firm was itself more avenue of approach than target. This may represent a trend as intelligence services begin to take a growing interest in managed service providers.

Dave Bittner: [00:10:58] The AP is reporting on another suspicious questioner, one Lucas Lambert, who said he was a venture capitalist and wished to talk with a think tank about a cyber conference Mr. Lambert said his firm was organizing. His questioner, Chatham House Russia specialist Keir Giles, was struck by the way conversation all turned quickly to whether anyone was being paid to bad-mouth Kaspersky Lab. A couple of other things struck him, too. For one, Mr. Lambert claimed to be based in Hong Kong but seemed to be as unfamiliar with that city as, say, a Manhattanite might be unfamiliar with Secaucus. For another thing, he kept asking Giles to speak up and repeat himself to the point where Giles thought he might ask whether he ought to speak into Mr. Lambert's pen or necktie or briefcase, or wherever else the microphone was secreted. And for yet another, he thought Mr. Lambert's suit looked too cheap to be one a VC might wear. Kaspersky Lab didn't respond to the AP's questions about whether they had anything to do with the inquiry.

Dave Bittner: [00:12:00] The AP is reminded of a similar approach to the University of Toronto's Citizen Lab by one Michel Lambert back in February. In that case, the microphone looked as if it were in Monsieur Lambert's pen. Monsieur Lambert was interested in finding out why people were slandering controversial lawful intercept firm NSO. NSO said then they've never heard of Monsieur Lambert.

Dave Bittner: [00:12:25] So are Lambert and Lambert the same mug, or maybe related? The general take is that they're the kind of PI who appeared as a second or third banana in a Bogart movie, usually played by Elisha Cook Jr. and rarely successful at getting the girl or cracking the case. We hope there really are two of them. They'd be like Thompson and Thomson - Dupond et Dupont in the original. We always like those two detectives in the "Tintin" comics.

Dave Bittner: [00:12:53] And finally, "Game of Thrones" fans, when you watch, watch properly. And pay for your premium channel. It's giving you value, right? Pirated copies of the new episodes are out and about, Zscaler warns, and many of them contain a subtitle file that contains malicious code, specifically a remote execution exploit. And if you download one of those - spoiler alert - winter is coming for sure.

Dave Bittner: [00:13:24] Time for a message from our sponsor, KnowBe4. It can take a hacker to know a hacker. Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, to uncover their most dangerous security flaws. You might ask, hey, where can I get the skinny on the latest threats? And where could I find out, what would Kevin do? Well, at KnowBe4's webinar, that's where. Kevin and Perry Carpenter, KnowBe4's chief evangelist and strategy officer, give you an inside look into Kevin's mind in this on-demand webinar. You'll learn more about the world of social engineering and penetration testing by listening to firsthand experiences and some disconcerting discoveries. You'll see exclusive demos of the latest attack ploys, find out how they could affect you and learn what you can do to stop them. Go to to register for the webinar. That's And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:14:37] And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's great to have you back. You all recently released some survey results that tracked artificial intelligence and machine learning. What did you find out here?

David Dufour: [00:14:52] MLAI - it's very close to me. We've been spending 10 years-plus doing machine learning at Webroot, so we have very strong opinions. And this survey just - it's interesting to me where we talked to a lot of our customers or people in the industry, and 76 percent of the people we surveyed said that it didn't matter if their protection included AI or machine learning. But then 70 percent said they wanted to see advertising that said you used AI or machine learning. So...

Dave Bittner: [00:15:23] Oh, wow.

David Dufour: [00:15:24] Yeah. I'm not exactly sure where the connection there is. And what I think is - you know, I go out to the MSP shows and things like that, and I talk to folks. I think the feeling is if you're doing AI and ML, then you're perceived as being technically advanced and really forward-thinking. But it doesn't necessarily have to be in the product they buy from you.

Dave Bittner: [00:15:41] That's fascinating because, I mean, certainly, we've seen, like you say, at the trade shows, it's all over everything. What an interesting gap there.

David Dufour: [00:15:51] Well, it is. And you're exactly right when you say it is all over everything. And I think a lot of times, people lose sight of the value that artificial intelligence and machine learning can bring. And they're more interested in seeing that it's available. And I think what we need to do as an industry - not as the producer, but as the consumer - understand what value that the ML or AI is going to bring to you - not just, is it in there? Because a lot of folks see that - they see the hype, and they just run with it, where, if you really understand the specifics - where it's helping, where it's not helping - that's how you can really make a judgment if it's something valuable to the product you're buying.

Dave Bittner: [00:16:31] What about the sophistication of the tools themselves? Are people - are you finding that folks are comfortable using these tools?

David Dufour: [00:16:38] Well, from our perspective, as - a consumer of our solution shouldn't even know if it's AI or ML. So you could be using it and have no idea that you're using any type of machine learning environment because it should automatically protect. It should automatically remediate. It should automatically do everything for you as much as possible. Now, there are tools that you have to be interactive with, and those tools have varying levels of complexity and knowledge that you have to have. So it really depends on the tool and what you're using it for.

Dave Bittner: [00:17:12] Yeah. It sounds like, you know, your marketing folks would probably like you to install a little red blinking light that lights up every time the machine learning or artificial intelligence is being used, right?

David Dufour: [00:17:22] Yes. And I hope...

Dave Bittner: [00:17:23] (Laughter).

David Dufour: [00:17:23] ...None of them listen to this because then I'll be having my engineers put a little blinking red light and wondering why they're doing it.

Dave Bittner: [00:17:30] Right.

David Dufour: [00:17:30] (Laughter) You're absolutely right, Dave.

Dave Bittner: [00:17:32] Yeah. What about the other side of it? Are we seeing that the bad guys are making use of this stuff as well?

David Dufour: [00:17:37] You know, there's a huge belief that the bad guys are. We're not seeing as much of it that correlates with the belief that they are. Machine learning is very sophisticated. There are non-machine learning methodologies that you can use to attack machine learning models that take less sophistication and less complex techniques. And there's, as we said, the whole tried-and-true items as well of types of cybersecurity attacks that are more simple. So if you don't have machine learning on the machine protecting you, you know, those methods are good as well.

David Dufour: [00:18:10] Where am I going with all this? If you're a cybercriminal, you're going to use this stuff you know already - path of least resistance. Now, there could be some cybercriminals out there, you know, large ego, they want to really, you know, use some advanced techniques. But those are very, very few. Most people are just opportunistic. So again, we're not seeing a lot of it. But it is in existence. And I'm sure over time, it will start growing.

Dave Bittner: [00:18:34] Yeah, that's interesting. I mean, you could have the most secure - or the most sophisticated security system in your home, and somebody can still throw a brick through the window.

David Dufour: [00:18:41] This is exactly what I tell people (laughter) - that the cybercriminal who wants to steal your TV isn't going to hack your network infrastructure. They're just going to kick in your front door and take your TV.

Dave Bittner: [00:18:53] Yeah, yeah. All right, well, it's interesting stuff. It is the Webroot AIML survey, and you can find that on the Webroot website. David Dufour, thanks for joining us.

David Dufour: [00:19:03] Great being here, David.

Dave Bittner: [00:19:09] And that's the CyberWire. For links to all of today's stories, check out our CyberWire Daily News Brief at

Dave Bittner: [00:19:16] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:27] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.