Dave Bittner: [00:00:03] Operation Soft Cell was low, slow, patient and focused and, apparently, run from China. Washington and Tehran are woofing at each other with more exchanges in cyberspace expected. Cyber due diligence is taken increasingly seriously during mergers and acquisitions. Short-sighted design choices affect app security. The U.S. security clearance process gets an overhaul. Shimmers replaced skimmers. Maryland's governor ups the state's cybersecurity game in response to the Baltimore ransomware event. A look at the rising tensions between the U.S., Russia and Iran when it comes to critical infrastructure. And we'll have an explanation for yesterday's U.S. internet outage.
Dave Bittner: [00:00:50] And now a few words from our sponsor KnowBe4. Everyone knows that multi-factor authentication, or MFA, is more secure than a simple log-in name and password. But too many people think that MFA is a perfect unhackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist in an on-demand webinar where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:01:51] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 25, 2019. Cyberreason has released a report on a long-running extensive but highly focused campaign, Operation Soft Cell, that compromised mobile networks. It appears to be the work of Chinese intelligence services, specifically APT10, also known as Stone Panda. It's either APT10 or someone operating just like them, as the Register puts it, to express the attribution with proper caution.
Dave Bittner: [00:02:40] These Soft Cellers have spent the last two years and a few months lurking in some 10 mobile networks worldwide. They were quiet, patient and focused, interested, for the most part, it seems, in watching the movement and other activity of what the researchers characterized as 20 to 30 high-value targets, persons of interest to espionage services like politicians and diplomats. There's no particular evidence that Operation Soft Cell pulled content from their targets' messages, but the metadata alone were valuable since such collection can yield the victim's place of work, travel and abode, as well as whom they talked to, how long they talked and so on.
Dave Bittner: [00:03:21] The operation avoided detection by going quiet for extended periods of time. It was, as they say, low and slow. They also installed their own VPNs in the networks they infested, which made their job easier. Those installations seem, in general, to have escaped notice.
Dave Bittner: [00:03:38] Two members of APT10 were indicted by the U.S. Justice Department back in December on charges related to espionage, specifically with theft of intellectual property from U.S. corporations. They are, of course, not in custody nor are they likely to be. The indictment was part of the general U.S. naming and shaming approach to Chinese cyber misbehavior.
Dave Bittner: [00:04:00] Washington and Tehran barked some more yesterday, but they didn't bite, at least not at each other, at least not yet and at least not publicly. The U.S. did, as promised over the weekend, announce new sanctions against Iran with President Trump warning Iran not to overestimate American patience or restraint, as both of these have limits. For its part, Iran pointed out that it could knock down an American drone anytime it decided to do so and that, quote, "the enemy knows it," end quote.
Dave Bittner: [00:04:30] New sanctions directly affect senior Iranian leaders. And Tehran remarked that they were outrageous and stupid. The New York Times, which has been looking at Iranian Twitter feeds and other sources, thinks that both regime hardliners and their opponents think the whole sanctions shtick has been done to death and that it's unlikely that the latest round will change much. Their reported reaction suggests that the Americans are more or less making the economic version of a rubble jump. As one Iranian wag tweeted, quote, "the only people left to sanction are me, my dad and our neighbor's kid," end quote.
Dave Bittner: [00:05:05] More seriously, observers tell The Washington Post that an Iranian cyber campaign, if one continues to develop, will probably resemble Tehran's earlier work - opportunistic and destructive. KnowBe4 warns everyone to expect heightened rates of phishing.
Dave Bittner: [00:05:23] As Baltimore continues its recovery from the recent ransomware infestation it suffered, Maryland's governor is focusing his attention on better protecting the Old Line State. The CyberWire's Tamika Smith has the story.
Tamika Smith: [00:05:36] Maryland joined a list of states across the country to hire a statewide chief information security officer. Governor Larry Hogan created this position along with the Maryland Cyber Defense Initiative. This new push comes after Baltimore City was hit by a ransomware attack in May, making it the second time the city was targeted. Here to talk more about this new position and the panel is Danielle Gaines. She's a reporter for Maryland Matters. It's an independent, not-for-profit news organization that covers government and politics across the state. Hi, Danielle.
Danielle Gaines: [00:06:10] Hi. Thank you for having me.
Tamika Smith: [00:06:11] Thanks for joining us. So let's get right to it. Maryland is joining Arkansas, Massachusetts, Ohio and Washington and creating this CISO position. What is it exactly expected to do?
Danielle Gaines: [00:06:24] So this is going to be a new statewide chief information security officer. A similar position with kind of less authority statewide had already existed within the state's Department of Information Technology, so that position is being expanded. And that individual is going to lead something new called the Maryland Office of Security Management. And that office is going to create some uniform standards for how each state agency classifies the personal information that they accept from the public and then how they protect that personal information. That office is also going to create some centralized policies to help the state respond more swiftly if there is a cyberattack incursion in data systems.
Tamika Smith: [00:07:11] So this new individual, this CISO, his name is John Evans, and he's served as a chief information officer for the Department of Information Technology. And he'll be taking on this expanded role. What do we know about him?
Danielle Gaines: [00:07:24] So as you said, John had worked for the Department of Information Technology, and this new role is basically an expansion on that. So he'll be working with a lot more state agencies and kind of trying to get them all on the same page. He's been in Maryland for a little while. He teaches cybersecurity at University of Maryland University College. He is on other positions in the state, including the Maryland Cybersecurity Council. He helped create a data center for the state that was called MD THINK, and that basically combined data for a number of social services organizations in the state to help kind of streamline and create efficiencies within those.
Tamika Smith: [00:08:05] So Mr. Evans has definitely been on the front lines of this.
Danielle Gaines: [00:08:09] Yes, he has, and there was some reporting that, at the last meeting of the Maryland Cybersecurity Council, one of the things - so that's a different group that's not impacted at all by this executive order. It has existed since 2015. It has a bit of a different focus, which is protecting the state's critical infrastructure - if there was some sort of breach of, you know, the electric system or the water system statewide. And so he's been a part of that council, and he was talking to that council recently about how to kind of integrate state and local responses to cybersecurity threats.
Tamika Smith: [00:08:42] The governor also created the Maryland Cyber Defense Initiative. What does that include?
Danielle Gaines: [00:08:47] So the Maryland Cyber Defense Initiative includes the position, as you stated, and then that Office of Security Management. It also creates a 10-member panel called the Maryland Cybersecurity Coordinating Council. That council is going to consist of high-level government officials that will provide guidance on a kind of broad statewide policy as it pertains to cybersecurity. Some members of that panel include the secretaries of the Department of Budget and Management, the secretary of Transportation, the superintendent of Maryland State Police, the director of the Maryland Emergency Management Association. And that group is going to consult with outside experts as well to give kind of these broader, overarching direction to state cybersecurity effort.
Tamika Smith: [00:09:32] So while I have you here, Danielle, let's look at Baltimore city. How are they doing after the ransomware attack back in early May?
Danielle Gaines: [00:09:39] The city of Baltimore is almost completely back online, not entirely. As you know, Mayor Jack Young has refused to pay a 13 Bitcoin ransom as part of that ransomware attack. City services were completely halted for some time. They had to create some workarounds for real estate transactions to allow people to register as candidates for the next city election. And, you know, they're still doing some workarounds for water bills and other things, but they hope to be back online entirely in the next few weeks.
Tamika Smith: [00:10:10] A lot to be done in Baltimore and definitely a lot on the front of cybersecurity across the country. Thank you so much, Danielle, for joining the program.
Danielle Gaines: [00:10:19] Thank you for having me.
Tamika Smith: [00:10:20] Danielle Gaines is a reporter for Maryland Matters. It's an independent, not-for-profit news organization that covers government and politics across the state. You can follow her @danielleegaines on Twitter.
Dave Bittner: [00:10:33] And Tamika Smith joins me in studio. Tamika, where do things stand in terms of other states adopting programs like this proactively?
Tamika Smith: [00:10:43] That's a really good question, Dave. When you look at the CISO position, this position isn't quite new, but what is new is having a statewide position with a statute attached to it. So Maryland, in this regard, is joining about 15 states across the country, including Colorado, Delaware, Florida, Illinois. These are states that actually have statutes attached to this specific position.
Dave Bittner: [00:11:12] Is there a template that states are using when they're establishing the CISO position?
Tamika Smith: [00:11:16] In general, when you're looking at this position across the country, there are few things that the state wants to make sure is actually happening. They're creating statewide security policies and IT standards, requiring information security plans and annual assessments or reporting and also requiring that, periodically, security awareness training is provided for their employees.
Dave Bittner: [00:11:40] Tamika Smith, thanks so much.
Tamika Smith: [00:11:42] Thank you.
Dave Bittner: [00:11:44] Forescout has released the results of a survey that outlines how cybersecurity figures in merger and acquisition due diligence. Slightly over half of the respondents say that they encountered a cybersecurity issue during due diligence that put the deal in jeopardy.
Dave Bittner: [00:12:00] Positive Technologies looks at mobile device security and finds that a prospective data thief rarely needs physical access to a phone in order to pull information from it. The root problem, the researchers find, lies in insecure data storage, and the problems with such storage all too often derives from the earliest stages of app development, where design decisions are made without fully thinking through their security implications.
Dave Bittner: [00:12:25] The U.S. Department of Defense has recently assumed a leading role in managing security clearances across the government, and it's changing some branding to signal a fresh start. The Defense Security Service will henceforth be known as the Defense Counterintelligence and Security Agency. By October 1, the agency will have absorbed the National Background Investigations Bureau.
Dave Bittner: [00:12:48] Flashpoint sees a shift in the card-skimming underworld. Skimmers are on their way out, being replaced by skinnier devices known as shimmers, designed to be slipped into the card reader itself, with the data captured being eventually retrieved by the swipe of a criminal's card.
Dave Bittner: [00:13:06] And finally, Cloudflare traces yesterday's U.S. internet outages to a cascading catastrophic failure that began with Verizon's incautious acceptance of a BGP goof from a small Pennsylvania ISP. So it was a fumble and not an attack, and evidently, all fixed now.
Dave Bittner: [00:13:29] And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind Trisis, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:14:31] And joining me is Sergio Caltagirone. He's the head of threat intelligence at Dragos. So I want to start off here. We're going to be talking about these increased tensions between the U.S., Russia and Iran, and I want to start off just by getting your overall sort of high-level take on this - of both how you would describe what's going on and your overall reaction to it.
Sergio Caltagirone: [00:14:56] So I think that there's three elements here that are in play. The first is, of course, the U.S. and Russian interactions and escalation that's been occurring, and then the second is, of course, the U.S. and the Iranian situation in the Middle East. So I think together, they pose a very unique situation where, at this moment in time, the U.S. is potentially facing two fronts of major cyber escalation.
Dave Bittner: [00:15:24] And these two fronts may themselves be allies.
Sergio Caltagirone: [00:15:29] Of course, yes. So the Russians and Iranians are allied in certain areas of common interest. Militarily, I think that the allyship has been maybe a bit less pronounced and fairly weak, but, of course, in any time of conflict, that can change radically.
Dave Bittner: [00:15:51] I want to focus on this blog post that you all put up recently. This is titled "Five Things ICS Operators and Critical Infrastructure Must Do in the Face of Cyber Escalation." Let's go through this together. The first step that you list here is take the threat seriously.
Sergio Caltagirone: [00:16:07] Yeah. So the fact is that there are retaliatory options available to all of the countries involved, and, of course, as rhetoric and as actions increase the escalation of tensions, then, of course, countries can act and react in a very short period of time. The challenge is, of course, that no country wants to deploy, you know, military or kinetic force causing a loss of life. And so cyber is a potential means of using asymmetric force and warfare to cause impact and retaliate without necessarily losing life. So all in all, this seems to be, you know, a very serious situation where people will - and, you know, we will see - and we have seen, of course, a little bit now - some amount of force being used across cyberspace.
Dave Bittner: [00:16:55] The second point you list here is think beyond borders.
Sergio Caltagirone: [00:16:57] So that's really important, and that's one that I think most cyber defenders have a challenge with. It's our job, as threat intelligence analysts, to understand the world at large and how that interplays with cybersecurity. And, of course, the key element here is that countries almost never engage in force unilaterally, and so you will likely see offensive operations conducted in conjunction with or in cooperation with multiple countries. So we can't just worry about what does Iran do or what's Iran going to do, but what could Iran do and potentially other allies do? And the same with the U.S., right? What could the U.S. do, as well as U.S. allies do, in retaliation? So we have to keep the idea of conflict broader than one country versus another.
Dave Bittner: [00:17:41] And then the next one is increased visibility in threat detection.
Sergio Caltagirone: [00:17:44] Yeah, this is the one that we hit the most, right? When we walk into - we do a threat response almost every week at Dragos inside of industrial control networks. And the biggest thing we get is, when we walk in, we find that there's very limited, if any, telemetry being collected. That's, of course, cybersecurity telemetry being collected inside of these environments. So when something happens, understanding, you know, what occurred and what might happen next is very hard. And so what we try to ask folks to do is - that's where you have to start, which is see what you can see, gather what you can gather, and most importantly, in a time of escalation like this, you know, go ahead and ramp that up. You know, you can always ramp down your collection later, but when it's important, you need to go ahead and get more data.
Dave Bittner: [00:18:33] And then, last but not least here, you say engage in active threat hunting.
Sergio Caltagirone: [00:18:37] Yeah. So threat hunting does two things, right? One is, hopefully, you go and find stuff that you weren't seeing before. But actually, more important with threat hunting is that when you do engage a team to conduct active threat hunting during a time of escalation, what it means is that you're going to be even more prepared if and when they find something or something happens. And so for any company, that's super important - is that you'll have a team there ready, and they will have the tools and capabilities ready to roll. So a small investment up front to be prepared generally, you know, gives you tons of dividends later. There's a lot of different ways you can attack critical infrastructure in different areas, and so for us, what we're seeing is a growth in that as well as a growth in escalation. And when you see both intent and capability grow at the same time, you thereby increase the risk environment.
Dave Bittner: [00:19:28] All right. Well, Sergio, thanks for joining us.
Sergio Caltagirone: [00:19:31] Oh, thanks for having me. I appreciate it.
Dave Bittner: [00:19:32] That's Sergio Caltagirone from Dragos. The blog is titled "Five Things ICS Operators in Critical Infrastructure Must Do in the Face of Cyber Escalation."
Dave Bittner: [00:19:46] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.