The CyberWire Daily Podcast 12.18.19
Ep 992 | 12.18.19

Steal first, encrypt later. Cobots at risk? Gangnam Industrial Style looks for industrial info. Rancor update. FISC takes FBI to the woodshed. Vlad the Updater.


Dave Bittner: [00:00:03] More ransomware steals first and encrypts later. Are cobots vulnerable to novel forms of ransomware? Gangnam Industrial Style, the espionage campaign, not the K-pop dance number. Rancor is a persistent, well-resourced and creative APT, but without much success to its credit. The Foreign Intelligence Surveillance Court takes the FBI to the woodshed. And, hey, maybe he's really Vlad the Updater. 

Dave Bittner: [00:00:33]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Maryland, on the Johns Hopkins Homewood campus. You can find out more at, and click on 6th Annual Cybersecurity Conference for Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at Click on the 6th Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. 

Dave Bittner: [00:01:21]  Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:01:43]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 18, 2019. 

Dave Bittner: [00:01:51]  Ransomware attacks continue to exhibit the criminal gangs' recent propensity for stealing data before they take the information hostage by encrypting it. A Canadian clinical laboratory firm, LifeLabs, was attacked back in October, and data about some 15 million patients were exposed in the course of the attack. The data the hackers gained access to included names, addresses, emails, logins, passwords, dates of birth and health card numbers. A much smaller subset of patients than the 15 million total also had their lab results exposed. That tally amounted to about 85,000, a relatively small fraction of those affected but considered in absolute terms still a troublingly large number. Data exposed was older, dating to 2016 and earlier, but the breach is still a matter of concern. 

Dave Bittner: [00:02:41]  Most of the people whose PII were accessed are from British Columbia and Ontario. May they be on their guard against identity theft. LifeLabs said that it engaged a security firm to help with forensics and recovery. It also said that it paid the attackers ransom in order to recover access to their files. But that, of course, doesn't restore the privacy of the data that the extortionists took. Once the bad guys have seen the data, they're gone, baby - gone. 

Dave Bittner: [00:03:09]  There is also another front to worry about in the struggle against ransomware - industrial robots. This one is a demonstration and not something that's been seen in the wild, but the demonstration is instructive. Alias Robotics has published a paper describing a method of infecting cobots - that is, collaborating robots used in manufacturing processes - with ransomware that locks them down until the victims pay the attackers to unlock them. The proof of concept, which Alias calls Akerbeltz after a protective animal in Basque folklore, would affect Universal Robots UR3, a widely used cobot. Alias hasn't released the code since it wishes to warn and not arm criminal gangs. 

Dave Bittner: [00:03:54]  Speaking of industrial cybersecurity, CyberX researchers have described a cyber-espionage campaign that's evidently designed to steal sensitive data, especially design information from manufacturers. CyberX calls it Gangnam Industrial Style in homage to the K-pop dance sensation and in recognition that South Korean manufacturers have been most heavily hit. Some 60% of the victims have been located in the Republic of Korea. Other countries affected include, in rough order of the attention they received from the APT, Thailand, China, Japan, Indonesia, Turkey, Ecuador, Germany and the United Kingdom. CyberX offers no attribution, contenting itself with the good work of describing the attack techniques and tactics. One might conjecture that the countries affected by Gangnam Industrial Style should be ruled out. But, of course, there's not only the possibility of misdirection but of an attack slopping over to inflict domestic collateral damage. 

Dave Bittner: [00:04:53]  The attack proceeds by spear-phishing. The emails are plausibly baited with files representing themselves as, for example, requests for quotations - that's RFQs, if you're one of the unfortunates to have purchase authority - or simply as inquiries from buyers. The most common hook is the malicious attachments' payload, normally Separ malware. Separ both harvests credentials and searches for files of interest. 

Dave Bittner: [00:05:18]  The attackers may be after trade secrets in a conventional industrial espionage effort, or they may be looking for industrial system vulnerabilities that could be targeted in subsequent attacks. Both objectives are disturbing, but the second one is positively alarming. Consider the three payloads CyberX offers as examples of what they've found - quote, "an RFQ for designing a power plant in the Czech Republic, which appears to have been sent by an employee of a Siemens subsidiary that manufactures industrial machinery. 

Dave Bittner: [00:05:47]  This email includes a schematic of the power plant and a publicly available technical white paper about the gasification of the plant, which is located in Vresova, Czech Republic," end quote, or this one, quote, "an RFQ for designing a coal-fired power plant in Indonesia, purporting to be from the engineering subsidiary of a major Japanese conglomerate. To increase its appearance of legitimacy, the email includes a publicly available PDF of the company's corporate profile," or this, "an email purporting to be from a buyer at a major European engineering company that designs gas processing and production plants." Whoever's behind Gangnam Industrial Style is taking a close interest in energy infrastructure. 

Dave Bittner: [00:06:32]  Earlier this year, we spoke with the Hewlett Foundation's Eli Sugarman about their Cyber Visuals Initiative, an effort to bring fresh ideas to communicating concepts related to cybersecurity. Since then, the call to artists went out, the submissions came in, and the winners were selected. Eli Sugarman is back to share the results. 

Eli Sugarman: [00:06:52]  We had never done a competition like this before, so we were a bit new to it and, thankfully, had OpenIDEO to be our guide. And so we launched the competition, put out information, hosted information sessions, publicized it and got a lot of interest. You know, we had over a hundred artist-submitted ideas. 

Eli Sugarman: [00:07:13]  And then there were sort of, you know, two phases of review once the deadline was met. And so the first review was sort of taking the hundred-and-change submissions and sort of portfolios, if you will, and reviewing them with a panel of experts. And we, you know, had artists from all over the world, from the U.K. to the U.S. to India to South America. And then sort of, you know, round two was then letting those artists refine their work and submit any final additions. And then we had a different jury sit down and judge those finalists to choose the five winners. 

Dave Bittner: [00:07:46]  Yeah. It's also, I think, noteworthy that none of these fell into what I would consider to be the common sort of cliches and traps that we see with so much of the imagery having to do with cybersecurity. I mean, there's not a hoodie in the bunch. 

Eli Sugarman: [00:08:01]  And that was exactly our goal - that we are, like you, fed up about - fed up by those tropes of hoodies, "Matrix"-style ones and zeros, locks and shields and medieval defensive, you know - I don't know - whatever. 

Dave Bittner: [00:08:18]  Castles and moats, yeah, yeah. 

Eli Sugarman: [00:08:19]  Castles and moats. So that was actually one of the core tenants here was we just - so it's hard - right? - when you're like, I know I don't like what exists, but I don't know what the better options are because Eli Sugarman is not a visual designer. And so it was really neat to see the creative juices flow, to see what folks came up with, which is, as you pointed out, radically different from the existing visual landscape, and we're very excited by that. 

Dave Bittner: [00:08:44]  Now, I know that one of your hopes is that this is the beginning of a conversation. The awarding of these prizes is not the conclusion of something, but that this is going to lead to other things. And where are you looking for this to go from here? 

Eli Sugarman: [00:08:58]  Well, what we hoped to accomplish was just to show that it's possible, that with some resources and guidance, there are talented visual designers who want to do better and want to experiment and create a new visual language for cybersecurity. And so what we're hoping to see is people both to use the images that were created, to evolve them and build off them because the Creative Commons license allows for that. You can take that image. You can then change it, and then it becomes something different. So long as you attribute the original image to the artist, you don't have to pay them anything. It's free, right? It's now a public good. And so we're hoping those are a few ways folks can sort of, like, evolve and take the next step. 

Dave Bittner: [00:09:34]  Why is it important for you and your team there at the Hewlett Foundation to support these types of initiatives? 

Eli Sugarman: [00:09:41]  Our approach to cybersecurity grant-making is building a field. And so we think that as digital technologies spread across society, you need longer-term, rigorous thinking about how to maximize the benefits and minimize the harms. And you need people with a mix of technical and nontechnical skills to really do that. Like, there aren't technical panacea. It's not just a legal question, right? 

Eli Sugarman: [00:09:59]  And so with that field of people, those institutions, those universities, those think tanks, the policymakers they talk to, the C-suite leaders are struggling to talk about these issues in a really in-depth, sophisticated way. We don't even have the words - right? - in the sense that we don't have agreed-upon definitions. But beyond that, to really get through to nonexperts, you need to store - you need to tell stories and show things visually. And so we think that this repository of images is just one small step towards building the ability to do that. 

Dave Bittner: [00:10:28]  That's the Hewlett Foundation's Eli Sugarman. If you want to see the winning submissions, just do a search for Hewlett Foundation Cyber Visuals. 

Dave Bittner: [00:10:37]  The U.S. Foreign Intelligence Surveillance Court in an unusual public order has starchily directed the FBI to give an account of what it was doing when it requested FISA surveillance authority over Trump adviser Carter Page. The New York Times has called the Justice inspector general's report on Crossfire Hurricane damning. The presiding judge, Rosemary M. Collyer, wrote in the order, quote, "the frequency with which representations made by FBI personnel turned out to be unsupported or contradicted by information in their possession, and with which they withheld information detrimental to their case, calls into question whether information contained in other FBI applications is reliable," end quote. She gave the bureau until January 10 to return a list of positive steps it intends to take to ensure that it will henceforth, quote, "provide complete and accurate information in every filing," end quote. 

Dave Bittner: [00:11:32]  The FBI has said that it accepted the inspector general's findings in the investigation of Crossfire Hurricane and that the bureau's Director Wray has already ordered more than 40 corrective measures to tighten up its FISA procedures. A broader IG investigation is in the offing, The Washington Post reports. 

Dave Bittner: [00:11:51]  And, finally, we mentioned yesterday reports that Russian President Putin is still running Windows XP in his office and in his residence, XP being the last version of Windows the Russian organs authorized before moving in earnest toward software autarky. But wait; Forbes sees wheels within wheels here, and points out that the pictures of Mr. Putin at work may well be deceptive, an instance of what the Russians call maskirovka. That sounds pretty scary, but it's a common term in the Russian military lexicon that covers what the Americans would call camouflage and deception. Camouflage is doing something like putting leaves in your hat. Deception would be using phony radio traffic to deceive the enemy about your order of battle. 

Dave Bittner: [00:12:37]  So consider. Suppose you were being photographed in your workplace and you realized, to your horror, that your much-treasured but still sort of embarrassing Nickelback fan poster was visible in the background, so you ask the friendly photojournalist to Photoshop something else over the top of it. To your relief, she agrees, and your picture appears with, say, the Prussian Academy version of the collected works of Immanuel Kant in the background. 

Dave Bittner: [00:13:02]  In this case, Forbes darkly speculates something similar may be afoot. Maybe the Russians just want everybody to think they're still running Windows XP on the president's machines, when, in fact, they're really quite up to date with the latest homegrown OS. It's a riddle wrapped in a mystery inside an enigma. Still, Santa, consider sending Mr. Putin that Best Buy card. And our hats-off to Forbes for referring to the Russian president as Vlad the Updater. 

Dave Bittner: [00:13:37]  And now a word from our sponsor, McAfee. Ideas don't come for free. Budgets are begged for. Long hours are required - the months, maybe even years, of research, the sheer human effort of it all, the changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off - and it's perfect, your company’s work, as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight, so you can move beyond optimizing security products to optimizing your security posture and not just react to threats but remediate threats that matter. Intelligence lets you respond to your environment; insights empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to That's And we thank McAfee for sponsoring our show. 

Dave Bittner: [00:14:50]  And joining me once again is Tom Etheridge. He's the VP of services at CrowdStrike. Tom, it's always great to have you back. We wanted to touch today on this notion of Need for Speed breakout time and something that you all refer to as the 1-10-60 concept. Can you take us through - what are we talking about here today? 

Thomas Etheridge: [00:15:10]  Excellent, Dave. Thanks again for having me. Great to be here. The concept of 1-10-60 really is a benchmark metric for understanding the effectiveness of an organization and being able to detect, investigate and remediate an attack from happening in their environment. And this 1-10-60 rule really is defined, as we see it, as the ability to detect in a minute, investigate in 10 minutes or less and be able to remediate the attack in less than an hour. 

Thomas Etheridge: [00:15:45]  And why is this important? This is important because another metric that we measure, breakout time, is the amount of time it takes an attacker from their initial entry point into a customer's network or environment until the time that they're able to move to a target or move laterally in a customer's environment. And what we see in the metrics that we track is that well-funded, advanced nation-state and e-crime threat actors typically move quickly. On average, it's about an hour and 58 minutes, which is a really tight window for organizations to be able to detect, triage and remediate that issue from becoming a bigger issue. And that's the importance of 1-10-60. 

Thomas Etheridge: [00:16:32]  We've reported in our global threat report last year some of the metrics around advanced nation-state adversaries, like Russian nation-state actors, or Bears as we refer to them, can move in some cases in less than 20 minutes - 18 minutes and 49 seconds to be factual. Nation-states that we call Chollimas, they're the next fastest threat actor group that we're tracking. Their movements typically, from breakout time, is around two hours, 20 minutes and 13 seconds. 

Thomas Etheridge: [00:17:05]  So the ability to be able to detect, triage and understand what's going on with a threat that's in your environment and to be able to remediate it before the threat actor has the opportunity to move to parts of the environment, hide or deploy additional tools that provide access or exfiltration capabilities is really important for customers to understand and try to strive to meet that metric. 

Dave Bittner: [00:17:32]  Can you give me some insights here because I would say my first reaction to the notion of 1-10-60, particularly that 1 of, you know, being able to respond within a minute, how much of this by necessity happens through automation and how much is actual humans who have eyes on the situation? 

Thomas Etheridge: [00:17:53]  The one thing, Dave, that's getting better with organizations is the advancement of the tooling. Endpoint technologies such as CrowdStrike Falcon provide for advanced EDR capabilities where we're able to leverage artificial intelligence data at scale that gives us crisper visibility quicker into what's really going on in a customer's environment. So prevention with some of these new tools is getting better. 

Thomas Etheridge: [00:18:22]  The real shortcoming is around the ability to understand that a threat is actually occurring in the environment. What type of threat is it? Who might the threat actor be? What are their motivations? What information are they trying to glean from their access? Are they trying to monetize their access or simply exfiltrate data from a customer's environment? So being able to triage that very quickly, having great intelligence capabilities - good, strong analysts that understand what these threat actors are motivated by and, really, I should say, understanding your own environment and what would motivate an attacker to actually access your environment. 

Thomas Etheridge: [00:19:01]  And then the last piece of this which is the remediation capabilities. This is an area that is certainly lacking for many organizations. Understanding what's going on but being able to stop it. Really, those are some of the key elements of the 1-10-60 rule. And some of the services that we offer and certainly our technology is being built and designed to provide better controls and better ability to respond to and remediate these breaches from happening in a client environment. 

Dave Bittner: [00:19:31]  Tom Etheridge, thanks for joining us. 

Thomas Etheridge: [00:19:33]  Thank you. Very welcome. 

Dave Bittner: [00:19:39]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:52]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.