The CyberWire Daily Podcast 7.26.19
Ep 893 | 7.26.19

Winnti and other Chinese espionage activity. Volume I of the US Senate report on election meddling is out. Ransomware from Sabine, Louisiana, to Johannesburg, South Africa.


Dave Bittner: [00:00:03] Winnti and other Chinese threats have been active against German and French targets. The U.S. Senate Intelligence Committee has issued the first volume of its report on Russian operations against U.S. elections. This one deals with infrastructure. Louisiana declares a state of cyber emergency over ransomware. Johannesburg's power utility is also hit with ransomware. And you could get up to one $175 from the Equifax breach settlement. 

Dave Bittner: [00:00:35]  And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud may help development and application teams move fast, but for security teams already dealing with alert fatigue, tool sprawl and legacy workflows, cloud adoption means a lot more stress. You're building your business cloud first. It's time to build your security the same way. ExtraHop's Reveal(x) provides network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(x) helps security teams unify threat detection and response across on-prem and cloud workloads so you can protect and scale your business. Learn more at That's And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:34]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 26, 2019. 

Dave Bittner: [00:01:42]  A joint report by BR and NDR describes the long-running Winnti industrial espionage campaign against major German companies. The targets were drawn from the DAX 30, a set of blue chip companies listed on the Frankfurt Exchange. Winnti's operations go back to 2011 and showed a familiar mix of intelligence and criminal motivation. The initial attacks seem purely criminal and were directed against Karlsruhe-based gaming company Gameforge. By 2014, the group had moved on to industrial espionage against chemical and pharmaceutical firms, starting with Dusseldorf's Henkel, whose adhesive technologies were of interest. The operations against French targets had a political motivation, according to L'Opinion. Chinese operators worked to manipulate voting at the U.N. to prevent a French candidate from election to the international body's agriculture and food portfolio. 

Dave Bittner: [00:02:38]  The U.S. Senate Intelligence Committee has released the first volume of its report on Russian election interference. No new revelations, but the scope, intent and methods of Russian operations in 2016 are plainly documented. This volume of the report focused on threats to election infrastructure with a consideration of influence operations to come later. The report concluded that extensive activity targeting election systems had begun by 2014, at least, and that much of that activity targeted state and local election infrastructure. All 50 states received attention from Moscow between 2014 and 2017. The level of activity is alarming, but the good news is that the committee found no indications that votes were changed, vote tallying systems were manipulated or that any voter registration data was altered or deleted. The federal government did provide warnings at the time, but the committee regards those as insufficient and often directed to the wrong people. 

Dave Bittner: [00:03:38]  Further volumes will no doubt deal with influence operations. In the meantime, The Washington Post notes that it's not just Russia. Other countries, especially Iran, have also gotten into the business. Russia has shown the greater sophistication, but Iran hasn't been too far behind. Russian information operations tend to be opportunistic, their goal being degradation, not persuasion. Iranian operators like to persuade and tend to be a bit one note, establishing sock puppets that retail stories from Tehran's official media and that tend to focus on the Islamic Republic's line. 

Dave Bittner: [00:04:14]  States of emergency in the U.S. are generally declared in the aftermath of natural disasters, like hurricanes and ice storms. Now one has been declared in response to a set of cyberattacks. The governor of Louisiana has declared a state of emergency in response to ransomware attacks on school districts in three northern Louisiana parishes, Sabine, Morehouse and Ouachita. Governor John Bel Edwards has declared the emergency to invoke special powers the state now makes available for response to cyber incidents. Files have been encrypted, and systems are generally down throughout the school districts. 

Dave Bittner: [00:04:52]  This is exactly the second time a state has declared an emergency over a cyberattack. Colorado did it last year when its Department of Transportation was hit by SamSam ransomware. A note on Louisiana local government. A parish in Louisiana is what other states would call a county, a level of government between the municipal and the state. It has only an etymological, religious significance, a parish is a civil institution. 

Dave Bittner: [00:05:18]  A South African city's electrical utility has been interfered with by a cyberattack. City Power, the electrical utility that serves Johannesburg, was hit by ransomware, according to multiple reports in the local media. The attack didn't cause a power failure, but it did induce a kind of service disruption. Customers who prepay for electricity are unable to do so because many of City Power's public-facing business services have been taken offline. The Johannesburg attack is, therefore, similar to the incident Baltimore is still recovering from. 

Dave Bittner: [00:05:50]  In the U.S. case, it was water billing. In South Africa, it's electricity. In Baltimore's case, the mayor's office has backed off from earlier claims that the city was hit by rogue NSA EternalBlue attack code. It now acknowledges that the attack was RobbinHood ransomware and not sinister stuff making its way up I-95 from Fort Meade. The city is still investigating and recovering, but it can't say too much because the investigation is still ongoing. They have released the names of the companies Baltimore has retained to help with the investigation and remediation. They're FireEye, Clark Hill, Seculore, Dyn Tek Services, Microsoft, and Crypsis. 

Dave Bittner: [00:06:31]  So does it scale? Who hasn't asked or at least heard that question? With respect to content moderation, the answer seems to be not painlessly and not without a lot of labor. Content moderation at YouTube, Facebook and Twitter is largely done in a very labor-intensive fashion with employees in the Philippines looking at an awful lot of awful, The Washington Post reports. It's not clear that it could be otherwise. Whatever hopes are being vested in the algorithms, they're apparently not up to speed yet. 

Dave Bittner: [00:07:02]  And finally, The Verge and others are explaining how to apply for Equifax breach compensation. Don't expect too much. You might get up to $175 if you're lucky, so don't spend it all in one place. 

Dave Bittner: [00:07:21]  And now a message from our sponsor ObserveIT. 

Unidentified Person: [00:07:26]  Great party, huh? 

Dave Bittner: [00:07:28]  Yeah. Yeah, great party. Could you excuse me for just a moment? Hey, you. What are you doing? What? Oh, no. Looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss. 

Unidentified Person: [00:07:47]  Did someone say trouble? I bet I can help. 

Dave Bittner: [00:07:50]  Who are you? 

Unidentified Person: [00:07:51]  To catch insider threats, you need complete visibility into risky user activity. Here; I'll show you how ObserveIT works. 

Dave Bittner: [00:07:58]  Wow. Now I can see what happened before, during and after the incident. And I'll be able to investigate in minutes. It used to take me days to do this. 

Unidentified Person: [00:08:08]  Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it. 

Dave Bittner: [00:08:14]  But wait. What's your name? Oh, well. Thanks, ObserveIT, and whoever she is. 

Dave Bittner: [00:08:21]  ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at 

Dave Bittner: [00:08:41]  And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's great to have you back. We wanted to talk today about some work that you've been doing about test beds and designing experiments around industrial control systems. What can you share with us today? 

Daniel Prince: [00:08:59]  Well, thanks for having me back. So we do a lot of work here at Lancaster University around industrial control systems, cybersecurity - particularly around the technological end, the operational technology end. And we've had several years of experience of building large-scale test beds which mimic credibly real-world environments. And we've noticed in the - kind of the literature more broadly, there's been a - quite a significant focus on the creation of test beds and how to create credible test beds that when you perform your experimentation on, you can scale those results up to the different types of implementation - so water or other utilities, for example. 

Daniel Prince: [00:09:38]  But one of the things that we've been starting to look at now is - you know, effectively, building the test beds is your - really, your scientific apparatus. What does it mean to perform high-quality scientific experimentation on those? And, actually, are we building those test beds as high-quality scientific apparatuses well? So it's not just about establishing the credibility but also, how do you actually perform experiments on these industrial control systems test beds so that we can really learn some interesting concepts that we need to take forward into the field? 

Dave Bittner: [00:10:10]  Can you give us some examples of how those two things intersect? 

Daniel Prince: [00:10:14]  Yeah. So when we think about building a test bed, one of the things we do is establish that as a scientific apparatus, as a replication of a real-world environment, which is, effectively, what a lot of scientists do with their lab equipment. They think about, how does this chemical reaction, you know, or whatever it might be - if a physical experiment is a representation of a real-world environment? We have really focused on creating the apparatus as best we can. But then how do you actually perform the experiment on top of that? What are the protocols? What are the issues around the apparatus that you're using? What are the restrictions? What are the conditions? So we can't go out and build a whole water treatment work, for example. It's too complicated. There's too many real-world processes. 

Daniel Prince: [00:11:02]  So how - when we're setting up an industrial control systems test bed, how do we make sure that the equipment that we're putting in - so the operational technology, the industrial control systems - that's correct? How are we making sure that physical processes that we're putting into that - those are correct and they scale up to the real-world environment? Then when we perform the experiment, whatever that might be - so that might be a penetration test. That might be understanding a new industrial - intrusion detection system. That might be understanding a new piece of technology for protection that goes in there. 

Daniel Prince: [00:11:33]  How do we ensure experimentally and with experimental rigor that those results would be repeatable within a real-world environment? And if they aren't necessarily 100% the same, what are the caveats that we need to put around the experimental results that anybody taking our information and working in the real world need to understand so that they can put additional, maybe, security controls in and around that? 

Dave Bittner: [00:12:01]  How much of this, if any, involves checking in with the folks who have that experience out in the field? - the folks who can say, yeah, you know, the manuals all say to do this. But everyone who's out there actually knows that this is something you have to look out for. 

Daniel Prince: [00:12:16]  That's the credibility aspect, and that's one of the things that, in some of the papers that the folks here have written about, is one of the key things that we always try to establish with the apparatus, for example. So whenever we implement, say, an industrial control system for something like a water treatment plant, we always then try and check that with a range of field engineers or other sort of technical roles. So is this actually what would happen in it? And that establishes the credibility of the test bed, and that's an essential part. But what we're really interested in now is making sure that we are doing rigorous experimentation. 

Daniel Prince: [00:12:56]  So that if, say, for example, we gave the same test bed apparatus with the same experiment to somebody else, how do they do that in such a way that they can get similar results? It's not just wildly divergent depending on who does the experiment. We want to really understand what it means to have highly defined experimental protocols around the results production that we can then really take forward into the industry to get them to understand the issues around the experiment, but also to be able to extrapolate those results to a slightly different environment. 

Dave Bittner: [00:13:29]  All right. Well, Daniel Prince, thanks for joining us. 

Dave Bittner: [00:13:36]  Now it's time for a few words from our sponsor BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank BlackBerry Cylance for sponsoring our show. 

Dave Bittner: [00:14:36]  My guest today is Joseph Menn. He's a longtime investigative reporter on technology issues, currently working for Reuters in San Francisco. He's the author of several books, the latest of which is titled "Cult Of The Dead Cow: How The Original Hacking Supergroup Might Just Save The World."

Joseph Menn: [00:14:53]  So the Cult of the Dead Cow was born in Lubbock, Texas, in either 1984 or 1986. And it started out in the bulletin board era, where people had 300 baud modems, and it - in order to connect online, it was a tremendous effort and not very satisfying. 

Dave Bittner: [00:15:11]  (Laughter). 

Joseph Menn: [00:15:11]  These guys, the originals, were, you know, young teenagers - 11, 12, 13. You know, they'd gotten kicked out of the sort of, like, the local bulletin board for being, like, too young and ignorant. So they wanted to be elite by themselves, so they created their own bulletin boards. One of them was Demon Roach Underground. So that was the home board of the kid who took the name Swamp Rat, which was later more delicately named Grandmaster Ratte. His real name - I've put in the book - is Kevin Wheeler. You know, he was a misfit. Most of these kids are misfits. They're smart, but they didn't, you know, fit in with the culture in Texas, and they were really desperate to communicate with each other. So they had these bulletin boards. And back then, frequently, only one person could connect at a time. 

Dave Bittner: [00:15:57]  Right, right. 

Joseph Menn: [00:15:58]  And so it was really tedious. So by necessity, the early folks are early tech adopters because they're the only ones who would have put up with it. 

Dave Bittner: [00:16:08]  They build this sort of virtual clubhouse for themselves and their other, you know, group of friends that they gather together here. So how, then, does it evolve to sort of common activities and, you know, with efforts that they're making as a group? 

Joseph Menn: [00:16:23]  Right. So there are a number of key sort of transitions. In the beginning, what brings them together, this group of, you know, independent bulletin board operators, were the Cult of the Dead Cow text files. So text files are just essays. They could be fiction. They could be nonfiction. They could be about, hey - in the case of the cDc, some of them were about hacking. And some of them were just, you know, funny - so it was sort of like underground paper, like underground newspaper, high school underground newspaper type stuff. Some of them were political, but they were frequently funny. And sometimes they were obscene. 

Joseph Menn: [00:16:55]  They distributed them, you know, to other bulletin boards. And there were a lot of, like, important, like, sort of marketing decisions that the group made, and one of them was to number these text files. Other bulletin boards would want to have on hand, like, cDc, you know, numbers one through 10 or so forth - you know, they didn't - they wanted a complete set. And so while other - many other bulletin boards did text files, the cDc ones got spread pretty widely and got, you know, famous for that era of the Internet. 

Dave Bittner: [00:17:24]  As the group grows, are they putting any sorts of guardrails on themselves? I'm thinking of, you know, dealing with things that might be illegal. You know, I remember back in those BBS days, you know, phone phreaking was a popular thing because you had to deal with things like long-distance charges. Was there tolerance of that sort of thing or did they self-police themselves? How did it work? 

Joseph Menn: [00:17:49]  So this is very interesting, and I go into this in quite a lot of detail in the book. In the beginning, everybody was stealing long-distance service because, if the bulletin board wasn't in your area code, then you had to pay long-distance fees, or your parents had to pay long-distance fees, in order to connect. And, you know, these - you were going to be online for a while, particularly if you're trying to download anything - a program, a game, anything like that. You're going to be connected for a long time, much longer than you would be to just chat to your cousin or some friend on the other side of town. 

Dave Bittner: [00:18:24]  Right. 

Joseph Menn: [00:18:25]  So these kids were all looking at multi-hundred-dollar phone bills, and the parents would cut them off after one month of that. So they basically all scrambled to get calling card codes, credit card numbers or other ways, illicit ways, to connect online. And so there was kind of this moral forge that happened, where everybody had to consider, you know, what was OK about breaking the law, was it better - was it OK morally some - for some reason, to steal from AT&T because they're - you know, they did - you know, you disapproved of them politically or they're a monopoly or whatever. You know, it's hard to justify as an adult, but, you know, when you're 13 and you really, really want to connect, you're willing to cut some corners. 

Dave Bittner: [00:19:07]  Right. 

Joseph Menn: [00:19:07]  But what's interesting to me is that people do their own moral lines. There was this - there was a wide variety. Some of the people in cDc did many more things that were considered criminal, but it was never a focal point of the group. And it was for some others, like Legion of Doom, Masters of Deception, quite famously. They were breaking into all kinds of stuff and, you know, hacking each other in pretty serious ways, you know, which led to a lot of them being arrested. And that was never what cDc was about. 

Joseph Menn: [00:19:36]  But I think one of the most interesting things is that these guys, who sort of grew up with, you know, figuring out - knowing exactly where the law was and deciding, in some cases, where to cross that line actually makes them more reflective about what is appropriate and what isn't than the clean-cut kids that are just coming into cybersecurity today that went to, like, a nice college, then went to work for a big company and just started doing cybersecurity things. Those people can be kind of sleepwalked into doing things that they might later think is a bad idea. These guys - a lot of them were really generalists and were really curious about other parts of the security setup. 

Joseph Menn: [00:20:13]  And, you know, one of the things I admire about cDc is that, you know, they went beyond the technical stuff and sort of approached the media and politics with that same sort of critical hacker mindset. You know, we need to make things better writ large. And maybe we don't know anything about how Congress works, but we'll figure it out if we have to. 

Dave Bittner: [00:20:36]  It strikes me that as a group like this that starts out with a bunch of people who are teenagers and, you know, young adults - that it can survive this long, that it can survive that initial group going into adulthood and having to face all the things that all of us do as we become adults with bills to pay and families and so on and so forth - that it's been able to survive those changes, I think, is quite remarkable. 

Joseph Menn: [00:21:04]  It's not only remarkable; it's unique. There is no other U.S. hacking group that's had anything like that kind of a career. It's funny. Depending on somebody's age and when they came into the scene, you know, some people will say, oh, yeah, cDc. You know, when I first got online, those were the first text files I saw. Another - people that came in a little later, it's like, oh, yeah. I was just starting to hack. And the first tool I used was Back Orifice, which was one of those publicly released anti-Windows tools. And then other people who say, oh, yeah. The first thing I heard about them was - I was into politics, and I heard about this thing called hacktivism, which is something that the cDc invented. So all these successive phases of security work or sort of internet culture, the cDc was in the forefront. 

Dave Bittner: [00:21:50]  Now, the subtitle of the book is "How the Original Hacking Supergroup Might Just Save the World." What's your notion here that they could be the group to save the world? 

Joseph Menn: [00:22:00]  Well, they've already done, as I, you know, have outlined, some pretty amazing things, right? There is @stake, which included people like Alex Stamos, who went inside and became chief security officer at Yahoo, which he left on principle after a secret court order asked for Yahoo to turn over - to search all of its users' emails for something. And then he went inside Facebook as chief security officer and blew the whistle on Russian election interference so I think - in, historically, a very important move. Also from @stake, we get Window Snyder, who was the driving force between Windows XP Service Pack 2 at Microsoft, which was a great leap forward in Microsoft security. And then there's Katie Moussouris, who is sort of known, I guess, as, like, a godmother of the bug bounty movement. She got Microsoft to pay its first bug bounties, got the Pentagon to pay hackers who were also working within a, you know, friendly framework. 

Joseph Menn: [00:22:58]  And then there's Veracode. So Chris Rioux, the same guy who wrote Back Orifice 2000, the '99 sequel to Back Orifice, founded Veracode with another member of the L0pht, Chris Wysopal. And Veracode was the - allowed big software buyers to see what the binaries in the code that they paid for were actually doing, as opposed to just looking at what the source code thought they should be doing. And that, really, was another way to tip the scales away from the software oligopolies and monopolies to the customers, who have been generally left in the dark and with very little recourse. So there are those things. 

Joseph Menn: [00:23:36]  There's the entire hacktivist movement, which continues to this day in various flavors. But I think, really, more than anything, it's the idea of critical thinking, that hackers, as sort of outsiders and critical thinkers, have tremendous value for society and this sort of sense of moral purpose. And I think big tech is in a lot of trouble right now - not just security, but big tech is in a lot of trouble right now because it lost touch with those roots, with the sense of technology being something that is supposed to make people's lives better. It's been about, you know, improvements in technology and about profit, and it hasn't really been about helping people. And I think a lot of that is because the people running these companies were not - didn't go through this sort of moral forge that the old-school hackers did. 

Dave Bittner: [00:24:23]  Well, the book is the "Cult of the Dead Cow." Joseph Menn, thanks so much for joining us. 

Joseph Menn: [00:24:27]  Thanks for having me, Dave. 

Dave Bittner: [00:24:32]  And that's the CyberWire. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at 

Dave Bittner: [00:24:48]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:25:00]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.