The CyberWire Daily Podcast 9.18.19
Ep 930 | 9.18.19

Tortoiseshell threat-actor active in the Middle East. Simjacker less dangerous than thought? Decentralizing cyber attack. The Ortis affair. Mr. Snowden’s book deal.


Dave Bittner: [00:00:03] A newly discovered threat actor, Tortoiseshell, has been active against targets in the Middle East. The Simjacker vulnerability may not be as widely exploitable as early reports led many to believe. The U.S. Army seems committed to decentralizing cyber operations along familiar artillery lines. Joint Task Force Ares continues to keep an eye on ISIS. Canada seeks to reassure allies over the Ortis affair. And the Justice Department wants any royalties Mr. Snowden's book might earn. 

Dave Bittner: [00:00:38]  And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud may help development and application teams move fast, but for security teams already dealing with alert fatigue, tool sprawl and legacy workflows, cloud adoption means a lot more stress. You're building your business cloud first. It's time to build your security the same way. ExtraHop's Reveal(x) provides network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(x) helps security teams unify threat detection and response across on-prem and cloud workloads so you can protect and scale your business. Learn more at That's And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:36]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice to help fix faster, while methodology-driven assessments ensure compliance needs are met, at 

Dave Bittner: [00:02:03]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 18, 2019. Researchers at security firm Symantec report finding a previously undocumented threat actor, Tortoiseshell, conducting what appears to be an espionage sweep through the IT supply chain. It's been active so far mostly in the Middle East and against Saudi targets. Eleven organizations were affected, Symantec says. And in two of them, the attackers achieved domain admin-level access. An unusually large number of machines were affected - in some cases, hundreds - which suggested to the researchers that the attackers were hauling in as many devices as they could until they found those that were most interesting to them. There are indications that the group was active as early as the summer of 2018. Its most recent activity was observed in July of this year. 

Dave Bittner: [00:02:57]  For the most part, it appears to be an information stealer, and much of what it's stolen seems likely to belong to the reconnaissance phase of an attack. Tortoiseshell is unusual in that its tools are, to a significant extent, custom built. The basic tool the attackers are using is Backdoor.Syskit, which they've written in both Delphi and .NET. It's not clear yet what the information vector is, but Symantec's best guess is that it may be a compromised web server. Symantec found the Poison Frog variant of the Bondupdater backdoor used by OilRig - also known as APT34, also known as HelixKitten. And this is an Iranian threat actor. But in this case, that really doesn't even rise to the level of circumstantial evidence and says little about attribution. That's because those tools were publicly leaked back in April. So who's behind Tortoiseshell is so far unknown. Symantec says that it sees no particular indications that the campaign is connected with any other known state or criminal actor. We do note that a tortoiseshell is a kind of cat. Did Symantec pick a feline name to suggest that, really, they think it's Iran? You know, Persian cats, HelixKitten, that sort of thing? 

Dave Bittner: [00:04:13]  The Simjack vulnerability AdaptiveMobile described last week may prove more difficult to exploit than had been thought. A number of researchers tell Computing that the vulnerability lies in a legacy feature of SIMs that most mobile carriers no longer use. Reports in Fifth Domain and Army Times this week suggests that the U.S. Army is contemplating a significant decentralization of offensive cyber operations. Some comments from Army representatives are on the murky side, but they indicate that the service increasingly thinks of cyberattacks the way it does calls for fire support. That is, if we're to take the analogy seriously, that a call for cyber action could be made from a very low-tactical level, answered by a battalion-level organization and answered relatively quickly. This would seem to be an evolutionary development within Army doctrine, which for some time has regarded electronic attack as something you direct the way you direct artillery fire. But it's an interesting development, to say the least. 

Dave Bittner: [00:05:17]  Fire Support is responsive in part because its possibilities are shaped by Fire Support coordinating measures that specify what can be fired where and when, what permissions are necessary, and so forth. Fire Support is also responsive because the effects of fires are well-understood. You know, for example, that a no-fire area will have to be of a certain size to keep the effects of, say, a sheaf of 155-millimeter-high explosive rounds out of that particular area. It would be interesting to know what sorts of coordinating measures are being put in place for cyberattack. And finally, of course, Fire Support is responsive because it's regularly exercised and practiced. The U.S. Army seems to be doing this at places like Fort Irwin and Muscatatuck. So, hey, cyber gunners, what are the surface danger zones for a distributed denial-of-service attack? Seriously. Email us. Anyway, ISIS may learn how this doctrine applies in practice. Joint Task Force Ares, the U.S. organization hunting it in cyberspace, says it's actively working against the sometimes caliphate as it attempts to reestablish itself in various South Asian locations. 

Dave Bittner: [00:06:31]  There's that old saying, there's no such thing as a free lunch, the notion being that everything has some sort of cost even if you don't know what it might be right away. And so it is with cloud services. There are conveniences, security advantages, cost savings. But there are also complexities and unexpected consequences. Brian Roddy is head of cloud services at Cisco. 

Brian Roddy: [00:06:55]  Typically, when people talk about using the cloud, it's a fairly nebulous statement and people aren't really sure what they mean. They think about, am I using Amazon to potentially run my applications, or is it mean am I using something like when I use my, say, customers relationship management software? Really, when we talk about multicloud, it's embracing the fact that most people today are using a wide range of cloud-based applications from different vendors. And on top of that, they're using infrastructure as a service from places like Amazon and Azure and Google. And when we've surveyed customers, we've found that more than half of them are using at least two platforms as a service. 

Dave Bittner: [00:07:40]  And so I suppose the challenge there is getting on top of security across all of these different environments and platforms. 

Brian Roddy: [00:07:49]  That's 100% correct. You know, it used to be when you had all your applications living inside of your own data center, it was relatively easy to manage 'cause you had access to all the data and all the databases, all the applications, all the ways people were logging in to it. You could control access. But as soon as you start using multiple applications from multiple vendors as well as different cloud infrastructure providers, you've essentially distributed all of your applications out to the world. Now, there are some benefits to that. On one hand, you've now made it so if any particular application gets compromised, they don't have access to all your applications. So you've kind of decentralized your risk a little bit. The challenge, though, is that by having so many different vendors, it's hard to have any notion of consistent policy or consistent enforcement or visibility across all of them. And so a lot of the work that people are doing today is, how do I get the old controls back again? 

Dave Bittner: [00:08:43]  And how are they going about that? The organizations that are finding success here, what's their approach? 

Brian Roddy: [00:08:49]  Well, usually it happens in a set of steps, a set of phases. You know, first and foremost, people will need to get visibility on what applications people are using. So there is a whole set of product offerings out there, called shadow IT products, that try and give you a sense of what apps are people using, which ones are good, which ones are bad, which ones are dangerous. And then once you get a map of what people are doing then you start to gain some control over it. So first, you want to have some kind of single sign-on so people are using well-understood passwords that you can revoke if they get compromised. And once you get those basic controls in place then you start thinking about, how do I have more a policy orientation? You know, how do I control the data that's being uploaded into those environments? How do I secure the accounts? You know, it's an interesting thing. We find that most of the breaches that happen, people don't break in. They essentially log in with credentials that have been compromised. So the other big area of focus for a lot of our customers is multifactor authentication, making sure it's not just a password required to get into these things, but having at least two factors to make it safe. 

Dave Bittner: [00:09:58]  Is it possible for organizations to put kind of a unified front end on these types of operations? 

Brian Roddy: [00:10:06]  You can do so in kind of a piecemeal way. So you can have a common login with single sign-on solutions. You can also have a common way of enforcing data policies with a class of products known as cloud access security brokers. What those products do is - sometimes it's abbreviated as CASB. What CASBs do are ways of allowing you to do data loss prevention across all different cloud vendors, malware scanning across all cloud vendors so you can have some amount of data control. So those are the first big ways that you can have a common front end. But the other area people have concern on is, is there a common set of security appliances or services that I go through before accessing them? So you know, it used to be in the past, you'd have firewalls and secure gateways and sandboxes in your data center that kind of kept people safe before they went out to the internet. Nowadays, people are going straight to the internet, sitting in coffee shops. And the other area of consistent security is that, how do I have that right network security policy? And there, there's a whole new class of cloud-delivered secure internet gateways that are designed to try and provide that same kind of protection across the board. So you can see there's single sign-on, CASB and this secure internet gateway. So a bunch of products emerging to cover all the different new needs. 

Dave Bittner: [00:11:31]  That's Brian Roddy. He's head of cloud security at Cisco. 

Dave Bittner: [00:11:36]  In the matter of the espionage case against a high-level official of the Royal Canadian Mounted Police, RCMP Commissioner Brenda Lucki described the arrest of Cameron Ortis under the Information Security Act as unsettling. A joint investigation with the FBI suggested that the Mounties had a rogue insider. The bureau found email, apparently from Mr. Ortis, to the drug cartel-serving encryption shop Phantom Secure that said, quote, "you don't know me, but I have information you may be interested in," end quote. A piece in the French-language Radio-Canada service says without much elaboration that Mr. Ortis had debts and that his motive in offering sensitive information was financial. Commissioner Lucki has asked that people not judge the RCMP as a whole on this one bad apple. But if bad apple he indeed turns out to have been, Mr. Ortis may have spoiled up to five big barrels. During a campaign stop in Newfoundland, Canadian Prime Minister Justin Trudeau said, quote, "we are in direct communications with our allies on security," end quote. The allies most concerned are, of course, the other members of the Five Eyes group - Australia, New Zealand, the United Kingdom and the United States. 

Dave Bittner: [00:12:50]  That other famous rogue insider, Edward Snowden, continues to discuss his forthcoming book with the media. The U.S. Justice Department yesterday filed a civil lawsuit in the U.S. District Court for the Eastern District of Virginia against the author and sometime-NSA contractor. Justice isn't interested in stopping publication of the book or in restricting its distribution or, presumably, controlling its content. Instead, the government wants whatever money Mr. Snowden may make on sales of "Permanent Record." The principle is that someone shouldn't be able to profit from violating a proper nondisclosure agreement, like the one Mr. Snowden had with NSA. The government doesn't allege any misconduct on the part of the publishers, but it will go through them to get any cash that may be coming Mr. Snowden's way. The complaint has the Fifth Avenue, New York, address of the publishers, but for the defendant simply notes, exact address unknown. Presumably, it's still somewhere in Russia but, from what we hear, he's hoping to relocate to France. 

Dave Bittner: [00:13:57]  And now a word from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to electric infrastructure are progressing in both frequency and sophistication. In their latest white paper and webinar, Dragos reanalyzes the 2016 Ukraine cyberattack to reveal previously unknown information about the CrashOverride malware, its intentions, and why it has far more serious and complex implications for the electric community than originally assessed. Learn more about CrashOverride and what defenses to take to combat future sophisticated cyberattacks by reading the white paper at or watching their webinar at To learn more about Dragos's intelligence-driven approach to industrial cybersecurity, register for a free 30-day trial of their ICS threat intelligence at And we thank Dragos for sponsoring our show. 

Dave Bittner: [00:15:08]  And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's great to have you back. I know something that you've been studying there at Lancaster is this notion of cybersecurity as a force multiplier and some of the ambiguity that that brings to international conflict. What can you share with us about that today? 

Daniel Prince: [00:15:29]  Some of the work that I'm doing is around this area of digital impact on conflict and politics. So I co-supervise a number of Ph.D. students in a multidisciplinary way with a colleague from politics, philosophy and religion department here. And we're really looking at the impact of the digital environment on the changing nature of politics and conflict. One of the things that we're starting to really look at is this idea that this notion of ambiguous conflict, hybrid warfare or gray zone conflict is really the cyberwarfare that we have actually got rather than the cyberwarfare that we envisaged. The science fiction of cyberwarfare is, you know, people in dark rooms, hacking into remote locations, taking power grids offline. And it makes for a great movie plot. And certainly, some of that, you know, we believe that to be plausible. 

Daniel Prince: [00:16:21]  But actually, the types of things that we're seeing, particularly in the hybrid warfare or the sort of gray zone warfare, is this use of information and influence to subvert our expectations or perceptions. And it kind of comes back to that traditional kind of subversion in terms of traditional warfare or political influence. But because of the hyperconnected environments in which we work digitally and is integrated into our societal lives, that influence is much, much more prevalent. In the media, a large number of conversations, really, about other nation-states influencing elections, influencing the narrative around certain things. Recently there's been a number of articles around nation-states influencing the narrative around recent science fiction films to make them appear more negative. And so when you've got that ability to exert that control and that influence, that acts in a different way to the way that we perhaps were expecting cyberwarfare to be conducted. 

Dave Bittner: [00:17:24]  Yeah. I mean, it strikes me that there's an asymmetry at play here. As you say, a force multiplier that, in the past, if I wanted to, you know, paper a country with flyers trying to spread some misinformation, well, there was a physical component of that that was a limiting factor. These days, as you say, with being able to spread things online, that physicality as a limiting factor, that's pretty much gone. 

Daniel Prince: [00:17:47]  That's true. And the flip side to that is the removal of information. I mean, it's not just about the presence of information, but also what information you can take away from a population so they cannot verify certain facts. But there are other mechanisms in terms of that force multiplier. Not just in terms of political influence and driving certain ideologies, but also, you know, this idea that, actually, physical attacks can be backed up by knocking out digital systems to enable much more effective operations. And so this idea of sabotage is coming into play. And this is a concept that a gentleman named Thomas Rid really put forward around sabotage, that cyberattacks are around sabotage, espionage, and this idea - and subversion. And so they all act as force multipliers for political influence but also in digital warfare. So this idea of cybersecurity and cyberattacks acting as a force multiplier is a multifactor thing that we need to really consider in terms of modern conflict. 

Dave Bittner: [00:18:52]  All right. Daniel Prince, thanks for joining us. 

Dave Bittner: [00:18:59]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:12]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.