The CyberWire Daily Podcast 4.28.16
Ep 88 | 4.28.16

Malware found in nuclear plant. Threat actors tracked in Asia. And who's Aquaman?


Dave Bittner: [00:00:02:24] The FBI is taking ISIS's potential for inspiration seriously as the United Cyber Caliphate publishes a hit list online. Malware is found in a German nuclear power plant, fortunately isolated and apparently without ill effect. BAE Systems warns that malware used in the Bangladesh Bank heist is part of a larger toolkit. Microsoft tracks Platinum, a hot patching espionage ring. And financial analysts wonder if security industry consolidation is drying up venture funding.

Dave Bittner: [00:00:34:08] This podcast is sponsored by SINET, the security innovation network, connecting the cyber security community, innovators, investors and customers, business and government. Learn more at

Dave Bittner: [00:00:54:07] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday April 28th, 2016.

Dave Bittner: [00:01:01:00] The self-proclaimed United Cyber Caliphate is heard woofing on the relatively secure message app, Telegram. The UCC has published a list of some 3600 New Yorkers whose assassination its urging.

Dave Bittner: [00:01:14:07] This isn't the first time ISIS sympathizers have published hit lists. The Cyber Caliphate Army, one of the three UCC founding groups, doxed a list of what purported to be the home addresses of former US State Department and CIA personnel last December. And so far there's no particular evidence that any such hit list have claimed victims, at least in the West.

Dave Bittner: [00:01:36:06] Passcode notes that the list doesn't seem to have emanated from any official ISIS source, but in a loosely controlled terrorist group that runs on inspiration, any meaning one might attach to the word "official" is necessarily an attenuated one.

Dave Bittner: [00:01:50:15] The increasingly over US cyber campaign against ISIS is intended in part to erode the effectiveness of the group's messaging. It appears to be having an effect on recruiting. Whether it will have a comparable effect on the more difficult target of inspiration remains to be seen.

Dave Bittner: [00:02:05:14] A nuclear power plant in the Bavarian town of Gundremmingen is mopping up some malware discovered in its systems. Security teams have found both Conficker and W32.Ramnit in plant systems. Security teams found both in a data visualization software retrofit dating to 2008 and they also found instances in removable storage media including USB drives. Plant safety and operations appear not to have been compromised.

Dave Bittner: [00:02:34:06] BAE Systems which has been investigating the Bangladesh Bank hack warns that the malware used in the attack is part of a toolkit that has broader use and that we can expect to see it again.

Dave Bittner: [00:02:44:24] Facebook users, the majority but not all of them in the Philippines, are being targeted by a social engineering campaign that induces users to watch a malicious video. ESET suggests removing the "Make a GIF" extension from your Chrome browser.

Dave Bittner: [00:02:59:16] It's a natural reaction, see some malware trying to have its way with your network, block that malware's IP. Todd O'Boyle is CTO and Co-founder at Percipient Networks and he says, not so fast.

Todd O'Boyle: [00:03:11:09] I think that blocking IP addresses for malware control, or just blocking them out of countries and those kinds of things grew out of our use of firewalls, which started in the '90s. The threats that we deal with today, they operate totally differently than the threats in the '90s. Almost all of the malware that you'll see that actually does [PHONETIC: feeling], it phones home from the inside out. And most people's firewalls filter very little outbound. They filter almost everything inbound, but they don't filter anything outbound and so the attackers know this. Attackers infrastructure and malware is set up so that it automatically routes around those kinds of things, so the attackers have basically rendered that approach ineffective.

Dave Bittner: [00:03:58:06] According to O'Boyle, there's valuable information in malware's behavior.

Todd O'Boyle: [00:04:02:17] When malware tries to phone home, pay attention to who's trying to do it, so that you can go and clean up the intrusion. The other thing that you get out of the malware channel by paying attention to that is some fingerprints about the adversary themselves. And if you put it together over long periods of time, you can piece together campaigns against you, eg, lots of targeted malware. That approach is really the future of how people are going to do security, especially in the enterprise.

Dave Bittner: [00:04:32:10] That's Todd O'Boyle from Percipient Networks. Their website named for their flagship product is

Dave Bittner: [00:04:39:23] Verizon launched their 2016 data breach investigations report. We'll talk to Verizon on tomorrow's edition of the CyberWire podcast.

Dave Bittner: [00:04:48:12] Microsoft researchers continue to track the activities of the Platinum espionage group. Active since 2009, Platinum has targeted governments, intelligence agencies, telecommunications companies and defense industries, mostly in Asia, using hot patching to avoid detection. Microsoft stopped short of calling Platinum a state-sponsored operation, but it has said that "The group shows traits of being well-funded, organized and focused on information that would be of most use to government bodies."

Dave Bittner: [00:05:18:09] In industry news, analysts mull the disappointing SecureWorks IPO and wonder whether a trend towards security industry consolidation will dry up venture funding opportunities for start-ups. Several nations, notably India and Australia, are launching a range of public-private partnerships designed to foster the growth of an indigenous cyber security industry.

Dave Bittner: [00:05:39:18] We haven't heard much lately about the Panama Papers and we do note that the obvious American dog is still refusing to bark. But the security of the information held by law firms remains of interest to hackers, and attorneys can expect that cyber criminals and other threat actors will continue to give them a great deal of unwelcome attention. We spoke to Markus Rauschecker from the University of Maryland Center for Health and Homeland Security, about why law firms are just so darn attractive to hackers. We'll hear from him after the break.

Dave Bittner: [00:06:07:03] Finally, among several product and service announcements comes news that CyberArk has organized what Infosec Magazine calls, rather breathlessly, "a Justice League" for cyber security. This C3 Alliance, as it's called, indeed has an impressive lineup, not only CyberArk, but also FireEye, ForeScout, Intel Security, LogRhythm, Qualys, Rapid7, SailPoint, SecureAuth, Symantec, Tenable Network Security, Tripwire and Varonis. Congratulations and good hunting. But we can't get one question out of our head. If this is the Justice League, who has to be Aquaman? Wonder Twin powers, activate.

Dave Bittner: [00:06:52:15] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at

Dave Bittner: [00:07:12:15] I'm joined once again by Markus Rauschecker, he's the Cyber Security Program Manager at the University of Maryland Center for Health and Homeland Security, one of our academic and research partners. Markus, we're seeing more and more that law firms in particular becoming targets for cyber attacks. Why are law firms so attractive to cyber criminals?

Markus Rauschecker: [00:07:30:11] Yes, that's absolutely true, law firms are increasingly a target for cyber criminals and I think the main reason for that is that law firms hold a lot of sensitive information, sensitive and valuable information. For example, law first hold a lot of intellectual property on behalf of their clients. Law firms are involved in mergers and acquisitions so if a cyber criminal gets access to that kind of information they could use that information to engage in some sort of insider trading, for example. They could make a lot of money based on information that a law firm holds that is not yet available to the public. In general there's just a lot of sensitive and proprietary information that law firms will hold on behalf of their clients. That information can have a tremendous impact on people's lives in big cases and small cases. And there's just a real desire for cyber criminals to obtain this kind of information.

Markus Rauschecker: [00:08:23:17] On top of all this, it appears that law firms are a little bit behind the times, so to speak, when it comes to ensuring that their networks are secure. It's been revealed in several reports that law firms are lacking in updating some of the security and safety measures that they should be engaging in when it comes to protecting their sensitive information. It's interesting also to note that according to some reports, up to 97% of law firms have actually been already breached and that it takes law firms on average about 225 days until they actually discover that breach. So this is a very serious topic.

Dave Bittner: [00:09:02:09] And of course we saw the recent Panama Papers breached, which really highlights the issue.

Markus Rauschecker: [00:09:07:16] Absolutely. I mean in this Panama Papers breach a law firm was hacked and they lost, according to reports, 11.5 million documents. About 2.5 terabytes of data. By some accounts that amounts to basically all of the law firms documents over the last 40 years.

Dave Bittner: [00:09:27:14] Markus Rauschecker, thanks for joining us. And a reminder, we'd like to hear from you if you've got a question or a topic you'd like our academic and research partners to discuss. You can send us an email at

Dave Bittner: [00:09:42:08] And that's the CyberWire. For links to all of today's stories, visit And while you're there subscribe to our popular daily news brief. Our editor is John Petrik, I'm Dave Bittner. Thanks for listening.