The CyberWire Daily Podcast 12.9.19
Ep 985 | 12.9.19

Ocean Lotus versus car manufacturers. Ransomware versus dental practices. $5 million reward offered in Dridex case. Information operations and the UK’s general election.


Dave Bittner: [00:00:00] Hey, everybody, Dave here with some exciting news. We are pleased to announce our new subscription program, CyberWire Pro. It's launching early in 2020. For cybersecurity professionals and others who want to stay abreast of our rapidly evolving industry, CyberWire Pro is a premium news service that will save you time as it keeps you informed. You can learn more and sign up to get launch updates at That's Do check it out. Thanks. 

Dave Bittner: [00:00:34]  OceanLotus puts down more roots in automobile manufacturing. Ransomware hits dentists' IT providers, as well as a Rhode Island town. The U.S. is offering a reward of $5 million for information leading to the arrests or - and we stress or - conviction of Dridex operator-proprietor Maksim Yakubets. Russian influence operations seem to be aiming at stirring things up over this week's British election. And an awful lot of Windows 7 machines still seem to be out there. 

Dave Bittner: [00:01:10]  And now a word from our sponsor, the upcoming Cybersecurity Conference For Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at and click on Sixth Annual Cybersecurity Conference For Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at, click on the Sixth Annual Cybersecurity Conference For Executives, and we thank the Johns Hopkins University Information Security Institute for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:20]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 9, 2019. Bayerische Rundfunk reported at the end of last week that OceanLotus, also known as APT32, a hacking group associated with the government of Vietnam, has been detected in the networks of both BMW and Hyundai. Neither company would directly answer the news service's questions. BMW responded with generalities about the company's security posture, the need for discretion in talking about specific cybersecurity incidents and so forth, along with offering reassurances that they're addressing any security issues. The company has said, by ZDNet, to have monitored OceanLotus' intrusions into its networks for a few months before finally expelling the hackers at the end of November. 

Dave Bittner: [00:03:12]  Bayerische Rundfunk reports that OceanLotus seems to have established websites spoofing those belonging to BMW and Hyundai and that those spoofs may have in some way figured into the attacks. Engadget reports the episode is an instance of cyber espionage with trade secrets as the probable target, noting that Vietnam has in recent years entered the automobile market with its own manufacturer. BMW is a parts supplier to Vietnam's domestic producer. The national champion, VinFast, has been in operation for a little more than a year. As ZDNet points out, BMW and Hyundai aren't the first companies to draw the interest of Vietnam's industrial espionage operators. Toyota was an OceanLotus target earlier this year. 

Dave Bittner: [00:03:57]  Ransomware continues to crop up in places that wouldn't appear to be high-payoff targets. KrebsOnSecurity reported on Saturday that an IT provider that serves dental offices, Englewood, Colo.-based Complete Technology Solutions, had suffered an infestation of Sodinokibi ransomware, a strain also known as REvil, that's been making a nuisance of itself in recent months. Complete Technology Solutions offers, according to Krebs, network security, data backup and voice-over IP phone service. The problem apparently began on November 25, and Krebs says that as of this past weekend, affected practices were still turning away patients. The operators behind Sodinokibi have devoted some attention to IT firms serving dental practices. Two months earlier, the same strain hit in Wisconsin, where it affected service provider PerCSoft and affected about 400 practices. Some 100 have been affected in the Colorado attack. 

Dave Bittner: [00:04:57]  And the other ransomware incident that developed at the end of last week hit the small Rhode Island town of East Greenwich, where municipal systems were affected. The town hopes to be substantially up and back in business today. Both cases should serve as a reminder that a relatively small size and low profile confer little immunity from cyberattack. 

Dave Bittner: [00:05:17]  Maksim Yakubets and Igor Turashev, the two Russian goniffs indicted in Pittsburgh last week on 10 counts connected with their use of the Dridex banking Trojan, have now got a price on their head, or at least Yakubets does. The U.S. Departments of State and Justice are offering $5 million in Yankee greenbacks for information leading to Mr. Yakubets' arrest or conviction. That's the highest ever offered - Computing and the Washington Post agree - for cybercriminals of this type. The Post has an interesting photo essay showing how crime pays for some of Gangland's top dogs, with plenty of pictures showing the lifestyles of the corrupt and consciousless. If bad taste were a crime, state and justice would have to up their offer to $10 million. Anyhoo, the Dridex duo will find it difficult to vacation outside of Russia. Hope they like Chelyabinsk because, alas, Atlantic City or Reno seem out of reach, which is sad. 

Dave Bittner: [00:06:17]  A bit more news out of Russia. The World Anti-Doping Authority, better known by its acronym, WADA, has hit Moscow with a four-year ban that will take the country out of this coming summer's Tokyo Olympics. This isn't a cyber story - not yet, anyway - but it can be expected to become one soon enough. WADA has been in the Kremlin's cyber crosshairs before. 

Dave Bittner: [00:06:39]  The U.K. will hold its general elections this Thursday. Campaigns are being roiled in the last week by the documents Labour brandished to accuse the Conservatives of planning to sell the National Health Service to the U.S., which seems unlikely to say the least. Or to put somewhat more plausibly, the documents are said to show that the Tory government was planning to offer effective control of the NHS's place in the health care market to a set of U.S. firms. The goal being, they say, to sweeten Britain's offer during negotiation of a new U.K.-U.S. trade deal. 

Dave Bittner: [00:07:11]  Labour's leader, Jeremy Corbyn, is hanging tough, saying it's an important issue the prime minister has yet to address and that, as The Guardian reports, Labour won't reveal where the documents came from. Besides, even if accusations that the documents were planted in Reddit by Russian operators, no one has yet made the case for the documents' inauthenticity. The Washington Post points to the incident with glum alarm as a stark warning for the U.S. 2020 elections, if only because, as the Post puts it, politicians are not exactly serving as a deterrent right now to would-be adversaries. So the week will prove interesting. 

Dave Bittner: [00:07:51]  Finally, whether or not Prime Minister Johnson is taking a page from "The Art of the Deal" here, there's one National Health Service cyber issue that seems beyond dispute. According to Computing, the NHS still has about 200,000 machines running Windows 7, which really and truly reaches its end of life next month, which makes us think. Our radio desk has been hearing a lot of ads lately in the lower reaches of local AM in which someone's offering to sell Windows 7 laptops at a discount. Get them now before Microsoft ends Windows 7 support in January, they say, which is a way of looking at the market we confess hadn't occurred to us. So hop to it, world. 

Dave Bittner: [00:08:38]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:09:39]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:09:48]  Hi, Dave. 

Dave Bittner: [00:09:49]  You and I were looking over some of the predictions from McAfee when it comes to things that they think are going to be coming down the pike in 2020, and there's one here that caught our eye that we wanted to discuss today. This was written up by John Fokker. He's been a regular guest over on our "Research Saturday" show, and this is ransomware attacks to morph into two-stage extortion campaigns. 

Joe Carrigan: [00:10:10]  Yeah. 

Dave Bittner: [00:10:11]  What's going on here? 

Joe Carrigan: [00:10:11]  So we're all familiar with ransomware, right? 

Dave Bittner: [00:10:13]  Yeah. 

Joe Carrigan: [00:10:14]  That you get your files encrypted and then the attacker comes in, and they say, here's your keys. Give me the money. And if you pay them, you might very well get the keys. In fact, most of the time, you do get the keys. 

Dave Bittner: [00:10:25]  Right. 

Joe Carrigan: [00:10:25]  But what he's saying is while you're recovering from this ransomware attack, the next thing they're going to do is start extorting you to keep the data private. 

Dave Bittner: [00:10:34]  So this... 

Joe Carrigan: [00:10:34]  Right? 

Dave Bittner: [00:10:34]  ...Is sort of an insult to injury kind of thing (laughter)? 

Joe Carrigan: [00:10:36]  Yeah, an insult to injury kind of thing. So, you know, if I am capable enough to penetrate your network and get inside or if I've bought that access from somebody... 

Dave Bittner: [00:10:46]  Right. 

Joe Carrigan: [00:10:47]  ...Then I have access to your documents and your data and whatever, and I can get that data out of there as well as encrypt it, right? So I can steal it and encrypt it. So I can take it for myself and have it and then deprive you of it. So once I give it back to you through the ransom payment, I can still leverage the fact that I have the information. So now you're faced with another decision of whether or not to pay the extortion - the hush money. I'll call it the hush money. And then we'll say the ransom is what you pay to decrypt your data, and the hush money is what you pay to keep your data from being released, right? I'm already dealing with people who have already encrypted and stolen my data. 

Dave Bittner: [00:11:22]  Right. 

Joe Carrigan: [00:11:22]  Right? 

Dave Bittner: [00:11:22]  Although they have a little bit of your trust if they've given it back. 

Joe Carrigan: [00:11:25]  Right, right. I understand. 

Dave Bittner: [00:11:26]  For money, right (laughter)? 

Joe Carrigan: [00:11:27]  But paying them the hush money is no guarantee that they're going to not turn around and sell that data a third time for another profit. 

Dave Bittner: [00:11:36]  Sure. 

Joe Carrigan: [00:11:37]  Right? I understand what John is saying here, and I absolutely think he's right that people will try it. I don't think it will have any benefit. I don't think people will pay that as much. People will pay ransoms to get their data back, but people are not going to pay hush money to prevent their data from being leaked, I think. 

Dave Bittner: [00:11:53]  So is the lesson here that your data should be encrypted at rest so even if these bad guys exfiltrate the data... 

Joe Carrigan: [00:12:02]  Right. 

Dave Bittner: [00:12:03]  ...It's encrypted with your encryption... 

Joe Carrigan: [00:12:04]  Yep. 

Dave Bittner: [00:12:05]  ...That have you have the key to... 

Joe Carrigan: [00:12:06]  That's correct. 

Dave Bittner: [00:12:06]  ...And they - it's worthless to them? 

Joe Carrigan: [00:12:08]  It is worthless to them, and that's a great point. So if you use encryption when your data's at rest and that encryption is in place when somebody without authorization to look at the data is looking at it - but, you know, if I'm using whole drive encryption on, like, a Windows machine and somebody has remote access to that Windows machine, that data is there and unencrypted and accessible. 

Dave Bittner: [00:12:30]  Yeah. 

Joe Carrigan: [00:12:30]  So even though it's encrypted at rest - now, if I'm talking about encrypted data maybe on a network drive that's always encrypted until somebody looks at it... 

Dave Bittner: [00:12:37]  Yeah. 

Joe Carrigan: [00:12:37]  ...Then, yes, that's right. 

Dave Bittner: [00:12:39]  Yeah, yeah. 

Joe Carrigan: [00:12:39]  Of course, if somebody's encrypted a second time, that still makes it inaccessible to me, right? So I still have to make the decision of whether or not I'm going to pay the ransom. 

Dave Bittner: [00:12:47]  Yeah. And, you know, another thing that I think doesn't get discussed very much is that sometime - there's the possibility that when the data is restored - let's say you pay the ransom and the data's restored. 

Joe Carrigan: [00:12:58]  Right. 

Dave Bittner: [00:12:58]  How do you know that that data hasn't been altered? 

Joe Carrigan: [00:13:01]  Yeah, that's a real issue. Avi Rubin, who is a professor at Hopkins, has said that that is what he predicts is going to be the next wave of ransomware, is that somebody's going to go into some organization and change the data - not make it invalid but change it. And then they're going to say, I've changed your data, and you have to pay me a ransom or I won't change it back, but I can change it back. You know, I think that's a much more insidious and probably dangerous method of infection. 

Dave Bittner: [00:13:33]  Yeah, you can see the ramifications of that. Think about it in a medical... 

Joe Carrigan: [00:13:37]  Right. 

Dave Bittner: [00:13:37]  ...Environment. 

Joe Carrigan: [00:13:38]  Absolutely. 

Dave Bittner: [00:13:38]  You're changing patient data, information... 

Joe Carrigan: [00:13:40]  Changing test results, for example. 

Dave Bittner: [00:13:41]  ...Or medicine dosing and things like that. Yeah... 

Joe Carrigan: [00:13:45]  Yeah. 

Dave Bittner: [00:13:45]  ...All kinds of issues that could come up. All right, well, it's an interesting report. It's a "McAfee Labs 2020 Threats Predictions Report" - worth a look. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:13:54]  My pleasure, Dave. 

Dave Bittner: [00:13:59]  And that's the CyberWire. 

Dave Bittner: [00:14:01]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:14:12]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.