The CyberWire Daily Podcast 12.16.19
Ep 990 | 12.16.19

Iran says it stopped a cyber espionage campaign by China’s APT27. India closes the Internet in two states. Ransomware in Louisiana and New Jersey. National Security Letters.


Dave Bittner: [00:00:03] Iran says it's foiled a cyber espionage campaign mounted by APT27, a Chinese threat group. The Indian government responds to protest over a citizenship law in two states by sending in troops and cutting off the internet in those states. The city of New Orleans sustains what appears to be a ransomware attack; so does a New Jersey health care network. And three senators would like credit bureaus to tell them what the FBI is asking for. 

Dave Bittner: [00:00:35]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at and click on 6th Annual Cybersecurity Conference for Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at Click on the 6th Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. Funding for this CyberWire podcast is made possible, in part, by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:01:44]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 16, 2019. Multiple reports say that Iran's government has indicated that it succeeded in fending off another cyberattack. Tehran is, again, being tight-lipped about the incident beyond saying that it successfully defended itself and that the target was electronic government systems. There's been some a priori speculation about the usual adversaries in the press, including the BBC. But as the BBC itself points out, Iran's telecommunications minister was more specific, saying that the attack used tools associated with APT27, a Chinese threat group. According to MITRE, APT27 is a group that's been active since 2010 and that has, for the most part, devoted its attention to targets in aerospace, government, defense, technology, energy and manufacturing. It's also associated with the names Emissary Panda, Bronze Union, Iron Tiger and LuckyMouse. 

Dave Bittner: [00:02:46]  The Islamic Republic News Agency quotes the ministry as characterizing the attack as foreign spying, espionage organized by a foreign state and that the hostile campaign was stopped by the country's domestic firewall, Dezhfa, that is Digital Fortress. The Telecommunications Ministry had earlier this year mentioned that Dezhfa had been installed to protect Iran's Siemens-manufactured industrial control systems. But this incident appears, so far, to have been espionage as opposed to sabotage. It's, of course, possible that the APT27 tracks were misdirection. But in any case, Tehran wasn't shy about mentioning the circumstantial evidence in its public discussions. And for now, at least, signs point to China. 

Dave Bittner: [00:03:32]  A new Indian citizenship law has been met with widespread protests in the states of Assam and Meghalaya. The law offers an accelerated track to citizenship for members of non-Muslim religious groups, mostly Hindus, Sikhs and Christians who had fled what the law characterizes as religious persecution in the Muslim-majority neighboring states of Afghanistan, Pakistan and Bangladesh. The large Muslim minority in the states has tended to perceive the law as anti-Muslim. The Indian government has substantially blocked the internet in the two states with a view to preventing incitement and online organization of protests. 

Dave Bittner: [00:04:11]  Around midday Friday, more cyberattacks hit Louisiana. The city of New Orleans was most prominently affected by what Bleeping Computer says has been tentatively identified as, again, Ryuk ransomware. CNN reports that the city declared a state of emergency and disconnected systems from the internet as a precautionary measure. Emergency services are said to have been unaffected, and city hall is open for business today as New Orleans officials now characterize the effects of the attack, WBRZ says, as minimal. Some courts have postponed their operations due to the incident, but New Orleans did say that none of their data had been lost or held for ransom. Bleeping Computer notes that if Ryuk was present, it seems likely that Emotet and TrickBot, its usual companions, were also in the affected networks as well. In addition to New Orleans, there are reports in WBRZ that sheriff's offices in three Louisiana parishes were also subjected to an attack at the end of last week. It's unclear whether these attacks are related, and little more information has been available. 

Dave Bittner: [00:05:19]  It's not just Louisiana. A more familiar target of ransomware, a health care provider where threats to clinical data in particular are always taken seriously, surfaced in New Jersey at the end of the week. Hackensack Meridian Health, New Jersey's largest hospital health network, disclosed Friday that it had been afflicted by ransomware for five days, forcing postponement of about 100 elective surgeries. Hackensack Meridian got out from under the attack by paying the ransom and said in its statement that it carried cyber insurance against this sort of eventuality. The health system also said that it was working with the FBI and other authorities and that it was speaking with security and forensic experts. Some of those experts advised the system to delay its disclosure. Hackensack Meridian did not say how much it had paid in ransom. 

Dave Bittner: [00:06:09]  Harper's has a long story in its current issue devoted to online murder-for-hire markets, which it traces to assassination prediction markets that emerged in cypherpunk and anarchist circles in the 1990s. The stories are lurid and disturbing, but actual violence seems much more the exception than the rule. Those who run the hit man job boards seem more interested in extracting money from both frightened prospective victims and from gullible but bloodthirsty buyers. 

Dave Bittner: [00:06:40]  And finally, it appears that the FBI has been demanding large quantities of personal data from credit bureaus. The requests for data come in the form of National Security Letters. Since 2015, companies receiving such letters have been permitted to request that they be able to disclose them, and a number of tech companies have done so. But the credit bureaus apparently haven't, and so three senators - Republican Rand Paul and Democrats Elizabeth Warren and Ron Wyden, have asked Equifax, Experian and TransUnion, why not? The senators wrote, quote, "because your company holds so much potentially sensitive data on so many Americans and collects this information without obtaining consent from these individuals, you have a responsibility to be transparent about how you handle that data. Unfortunately, your company has not provided information to policymakers or the public about the type or the number of disclosures that you have made to the FBI" - end quote. They'd like an answer by December 27. 

Dave Bittner: [00:07:44]  And now a word from our sponsor, McAfee. Ideas don't come for free. Budgets are begged for. Long hours are required. The months, maybe even years, of research, the sheer human effort of it all, the changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off and it's perfect - your company's work, as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight so you can move beyond optimizing security products to optimizing your security posture and not just react to threats but remediate threats that matter. Intelligence lets you respond to your environment. Insights empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to That's And we thank McAfee for sponsoring our show. 

Dave Bittner: [00:08:56]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:09:05]  Hi, Dave. 

Dave Bittner: [00:09:05]  Interesting story from ZDNET. This is "Twitter Proposes Open Social Network Standard," a story by Steven J. Vaughan-Nichols. What's going on here with Twitter? 

Joe Carrigan: [00:09:17]  Well, this is coming directly from Jack Dorsey, it looks like... 

Dave Bittner: [00:09:19]  Yeah. 

Joe Carrigan: [00:09:20]  ...And he wants to change the way Twitter operates. And he's looking at a new technology, and he's going to call it Bluesky, even though he doesn't know what that is yet, it looks like. 

Dave Bittner: [00:09:29]  (Laughter) OK. 

Joe Carrigan: [00:09:30]  But it's to be an open and decentralized standard for social media. I don't know what that means in terms of developing something new. There are already open and decentralized standards for social media like Mastodon. 

Dave Bittner: [00:09:43]  Yeah. 

Joe Carrigan: [00:09:44]  And the article actually talked about Mastodon and some others I hadn't heard of. Like, apparently, Mozilla has created some kind of standard as well. Diaspora and the World Wide Web Consortium, W3C, has a system they call ActivityPub - or standard they call ActivityPub. So I don't know what Twitter is trying to do here other than maybe change the way they operate internally. 

Dave Bittner: [00:10:09]  What does Twitter hope to achieve by shifting to something using an open, decentralized standard, rather than what they have now? 

Joe Carrigan: [00:10:16]  They have four reasons that they list out in this article. One of them is a real, true problem. It's that centralized enforcement of global abuse and misleading information is very difficult to do, and it doesn't really scale. So if you decentralize Twitter, then it might be easier to get rid of fake news. It would be harder to inject fake news into a system - right? - because it's decentralized. You don't have one point where you can do it. That's a good idea. Point two in this article is very salient to me, and I'm just going to read it verbatim. It says the value of social media is shifting away from content hosting and removal towards recommendation algorithms directing one's attention. Unfortunately, these algorithms are typically proprietary, and one can't choose or build alternatives. 

Dave Bittner: [00:10:59]  Right. 

Joe Carrigan: [00:11:00]  Now, you were on "Grumpy Old Geeks" two weeks ago or a week ago... 

Dave Bittner: [00:11:03]  Yeah. 

Joe Carrigan: [00:11:03]  ...Talking about how bad Facebook has gotten for you. 

Dave Bittner: [00:11:06]  Right. 

Joe Carrigan: [00:11:06]  And you and I were talking just before this - we started recording this - and I was making the same complaints you were... 

Dave Bittner: [00:11:12]  Yeah. 

Joe Carrigan: [00:11:12]  ...That Facebook is terrible. 

Dave Bittner: [00:11:14]  (Laughter). 

Joe Carrigan: [00:11:15]  When I scroll through it, I see the same three or four things. It used to be good. It used to be everything that my friends on Facebook posted would show up on my timeline. But... 

Dave Bittner: [00:11:23]  Right. 

Joe Carrigan: [00:11:24]  Now it's driven and censored by an algorithm... 

Dave Bittner: [00:11:25]  Yeah. 

Joe Carrigan: [00:11:26]  ...That I don't have any control over, and I don't see what may or may not interest me. I don't get to pick it, right? 

Dave Bittner: [00:11:32]  Yeah, and you can't directly go in and tweak the settings to get the things that... 

Joe Carrigan: [00:11:36]  Right. 

Dave Bittner: [00:11:36]  ...You want. 

Joe Carrigan: [00:11:37]  Yeah, I... 

Dave Bittner: [00:11:37]  There's a little filtering available. 

Joe Carrigan: [00:11:39]  I will say this. On my Twitter account, I've gone in and I've set muted words to Republican, Democrat, Trump, Pelosi and impeachment, right? 

Dave Bittner: [00:11:48]  (Laughter). 

Joe Carrigan: [00:11:48]  And my Twitter experience has gotten tons better. 

Dave Bittner: [00:11:51]  Look, it's all... 

Joe Carrigan: [00:11:51]  Right. 

Dave Bittner: [00:11:52]  It's all puppies and.... 

Joe Carrigan: [00:11:53]  Right, exactly. 

Dave Bittner: [00:11:55]  (Laughter) OK. 

Joe Carrigan: [00:11:55]  Exactly. 

Dave Bittner: [00:11:56]  All right. 

Joe Carrigan: [00:11:56]  Because I don't get my political news from social media... 

Dave Bittner: [00:11:58]  Yeah. 

Joe Carrigan: [00:11:59]  ...At all. I believe it's a toxic environment for political news. It's not a good place to get your political news. It's just not a conducive environment to that kind of discussion. 

Dave Bittner: [00:12:08]  All right, well, bringing them back around. 

Joe Carrigan: [00:12:09]  But... 

Dave Bittner: [00:12:10]  So in theory, this would allow you to - the option of using alternative or your own algorithms... 

Joe Carrigan: [00:12:16]  Right. 

Dave Bittner: [00:12:17]  ...To decide and help with things... 

Joe Carrigan: [00:12:18]  Curate your own thing feed. 

Dave Bittner: [00:12:19]  Yeah. 

Joe Carrigan: [00:12:19]  Hopefully... 

Dave Bittner: [00:12:19]  Yeah. 

Joe Carrigan: [00:12:19]  ...That's what that - and that, I'm all on board with. 

Dave Bittner: [00:12:21]  OK. 

Joe Carrigan: [00:12:22]  The third point here is that existing social media incentives lead to attention being focused on these very controversial topics, right? 

Dave Bittner: [00:12:30]  Right. 

Joe Carrigan: [00:12:30]  Because it's all about getting your eyes on the page. 

Dave Bittner: [00:12:33]  Getting those clicks. 

Joe Carrigan: [00:12:34]  Right, and getting those clicks. So it tends to lead to things that are emotional and get you - either the dopamine hit or the rage hit, you know... 

Dave Bittner: [00:12:42]  Yeah. 

Joe Carrigan: [00:12:42]  ...Whatever it is that you're going for. And if you can control that and eliminate that, then social media, in my opinion, will become a lot better. Now, here's the point that they're talking about that I'm not on board with a hundred percent. 

Dave Bittner: [00:12:53]  OK. 

Joe Carrigan: [00:12:53]  OK? I'm not on board with at all. 

Dave Bittner: [00:12:55]  OK (laughter). 

Joe Carrigan: [00:12:57]  Twitter says that new technologies have emerged that make the decentralized approach more viable. And then the first thing they say is blockchain... 

Dave Bittner: [00:13:05]  (Laughter). 

Joe Carrigan: [00:13:06]  ...Points to a series of decentralized solutions, and that's true. Blockchain is a great decentralized solution. The problem with that is that blockchains tend to be immutable, right? Once I put something on a blockchain, I can't take it off. That's why bitcoin runs on a blockchain. 

Dave Bittner: [00:13:21]  Yeah. 

Joe Carrigan: [00:13:22]  Right? It is because it's a database that has a permanent record, and it's a public record. I don't want something I tweeted 10 years from now or 20 years from now being deemed culturally inappropriate - right?... 

Dave Bittner: [00:13:36]  Yeah. 

Joe Carrigan: [00:13:36]  ...As time has shifted.... 

Dave Bittner: [00:13:37]  Yeah. 

Joe Carrigan: [00:13:37]  ...And social values have shifted. This has happened to people numerous times and caused great deals of difficulty for people. 

Dave Bittner: [00:13:44]  Yeah. 

Joe Carrigan: [00:13:44]  If Twitter goes to a blockchain, I'm afraid I'm out. 

Dave Bittner: [00:13:47]  Yeah. 

Joe Carrigan: [00:13:47]  I'm afraid that's it for me. 

Dave Bittner: [00:13:49]  But I mean, if you put something out there anyway, even though you can delete it, some - doesn't keep anyone else from capturing it or screen capturing it, right? 

Joe Carrigan: [00:13:55]  That's correct. 

Dave Bittner: [00:13:55]  So... 

Joe Carrigan: [00:13:56]  That's correct. 

Dave Bittner: [00:13:57]  And you know, the internet's... 

Joe Carrigan: [00:13:57]  And... 

Dave Bittner: [00:13:58]  ...Forever, Joe. 

Joe Carrigan: [00:13:58]  That... 

Dave Bittner: [00:13:58]  The internet is forever (laughter). 

Joe Carrigan: [00:13:59]  That's right. And like everybody says, there may - what does deleted mean? It may not mean deleted. 

Dave Bittner: [00:14:04]  Yeah, right. 

Joe Carrigan: [00:14:05]  It may mean that there is a flag in a database called deleted, and that is set to one, which means that we don't show it anymore. 

Dave Bittner: [00:14:13]  Yeah, I... 

Joe Carrigan: [00:14:13]  But we still have it. 

Dave Bittner: [00:14:14]  I guess the other thing I'm curious about here is how is this not against Twitter's own self-interest if they're making their money on those clicks, on those eyeballs on those - on your attention? Twitter's a public company. 

Joe Carrigan: [00:14:25]  Right. 

Dave Bittner: [00:14:26]  What do the shareholders think of a shift like this? 

Joe Carrigan: [00:14:29]  I don't know. That's a good question. It does seem like it's operating against the - against their own interests and the interest of their shareholders. But I think that by acting in the interest of their customers, they may be doing something like Apple does, you know? When somebody says we should exploit our user data, Tim Cook says to that person, you should sell your Apple stock. 

Dave Bittner: [00:14:45]  Right. 

Joe Carrigan: [00:14:46]  Right? 

Dave Bittner: [00:14:46]  Yeah. 

Joe Carrigan: [00:14:47]  Because we're not doing that. 

Dave Bittner: [00:14:47]  How interesting that that sort of attitude is an outlier these days? 

Joe Carrigan: [00:14:54]  Right, well, I think it's going to... 

Dave Bittner: [00:14:55]  No (laughter)... 

Joe Carrigan: [00:14:56]  I think the hope is that - what Jack Dorsey's hoping is that that will differentiate them in the marketplace. And I've already found Twitter to be a more acceptable social media platform for me, based solely on the level of granularity I can apply to what I see. Also, the fact that what I see is essentially just a stream from the people I follow. 

Dave Bittner: [00:15:16]  Yeah. 

Joe Carrigan: [00:15:17]  It's not curated by some algorithm. And if I don't want to see something, I can mute a word and not see it. I can't do that on Facebook. 

Dave Bittner: [00:15:24]  Yeah, yeah. Well, Jack Dorsey acknowledges that this is a long-term project. This isn't... 

Joe Carrigan: [00:15:30]  It is. 

Dave Bittner: [00:15:30]  ...Going to happen overnight or even... 

Joe Carrigan: [00:15:31]  It's not going to happen overnight. 

Dave Bittner: [00:15:32]  ...Probably in the next few years. But... 

Joe Carrigan: [00:15:34]  Yeah, he's going to be building a team of about five people, he says, to work on this. 

Dave Bittner: [00:15:39]  I guess I applaud the effort. I think it's good that people are exploring these sorts of things if it is a good faith effort and not... 

Joe Carrigan: [00:15:44]  Yeah. 

Dave Bittner: [00:15:44]  ...Just PR or something... 

Joe Carrigan: [00:15:45]  Yeah. 

Dave Bittner: [00:15:46]  ...Like that. Well, you know, it's good that we explore these things. I think there's no question we've got some problems, right? 

Joe Carrigan: [00:15:51]  I would agree on that one. 

Dave Bittner: [00:15:53]  So... 


Joe Carrigan: [00:15:53]  We've got real problems with social media. 

Dave Bittner: [00:15:56]  Yeah. 

Joe Carrigan: [00:15:56]  I think there are serious cultural problems that are happening. 

Dave Bittner: [00:15:58]  Yeah. All right, well, we'll keep an eye on it. It's certainly interesting to watch. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:16:04]  My pleasure, Dave. 

Dave Bittner: [00:16:09]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:16:22]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.