CyberWire Daily - Almost too much lye in the water, down Florida-way. BlackTech’s new malware strain. Huawei says it’s OK if the White House calls.
Episode Date: February 9, 2021Florida water treatment plant sustains cyberattack: the hack was successful, the sabotage wasn’t. A new malware strain is associated with Chinese intelligence services. Ben Yelin tracks a surveillan...ce plane who’s funding has fallen. Our guest is Col. Stephen Hamilton from Army Cyber Institute at West Point. And Huawei’s CEO says, sure, he’d take a call from President Biden. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/26 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Florida water treatment plant sustains a cyber attack.
The hack was successful.
The sabotage wasn't.
A new malware strain is associated with Chinese intelligence services.
Ben Yellen tracks a surveillance plane whose funding has fallen.
Our guest is Colonel Stephen Hamilton from the Army Cyber Institute at West Point.
And Huawei's CEO says, sure, he'd take a call from President Biden.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 9th, 2021. Late yesterday, the sheriff of Pinellas County, Florida, said that his office was investigating
an attempt on Friday to alter chemicals introduced into the city of Oldsmar's water supply.
An unknown party had remotely accessed the water utility's control systems
and directed that the amount of sodium hydroxide be increased by a factor of 100,
from the safe intended concentration of 100 parts per million
to a dangerous 11,100 parts per million.
A treatment plant operator noticed the change and immediately corrected it.
The Tampa Bay Times says authorities have some leads, but that no arrests have been made.
Sodium hydroxide, familiarly known as lye or caustic soda, is a strong base that's the
principal ingredient in many paint stripping and drain opening products and, less scarily, in many soaps.
It's used in small quantities to regulate the acidity of drinking water,
and in even smaller quantities it's used in cooking,
curing olives, preparing lutefisk, baking German pretzels, and so on.
But it's a highly caustic and dangerous chemical in high concentrations,
and so this is a serious attack that could have had lethal consequences.
Pinellas County officials stressed that there was no danger,
that it would have taken 24 to 36 hours
before the sodium hydroxide concentration reached dangerous levels,
but the incident is nonetheless a frightening one.
Despite a fair amount of tweeting and woofing about acts of war and so on,
there's been no attribution of the attack. The operator who stopped the attack noticed
something was amiss when his mouse cursor began moving. Jorge Orquiles tweeted a lesson from the
world of penetration testing. Quote, the easiest way to get caught as a red teamer is to move
someone's mouse. Nothing freaks people out more than their mouse moving when they aren't touching it.
It's a psychological thing.
Kevin Collier thinks this suggests that the attacker is probably more skid than mastermind,
tweeting, we know almost nothing about who they are,
but here's a strong indication this wasn't a masterminded plan.
That's not necessarily reassuring, he added.
Is it comforting to know this probably wasn't some Russian master plan to poison some Floridians,
or more disturbing to think this is how close an amateur could get? End quote. It is, however,
important to emphasize that nothing is publicly known so far about who may have attempted the
attack. It's also worth remembering that the simplicity of an attack,
its ease of execution,
says little more than that there's a broad range of threat actors
who could have accomplished it.
In this case, that ranges from a failed-to-launch skid
in the parents' basement
all the way to a nation-state's espionage or military services,
from a knucklehead down the block doing something for
the lulls up to one of Huggy Bear's cunning brood. The attacker is believed to have obtained access
to the water treatment plant's TeamViewer software, Wired reports, adding that the city
disenabled TeamViewer shortly after it noticed the attack. TeamViewer is also relatively easy
to use, and it can be accessed with stolen credentials, and some have seen this as another indication that the attack was not a sophisticated one.
Bryson Bort, founder and CEO of Scythe, commented in an email that, quote,
TeamViewer is a common remote desktop protocol solution in ICS, and the water attack was most likely simple access with stolen credentials.
Using the software means everything is visible to the user, hence the operator saw the mouse move
and settings changed. Who and why is still the question, end quote. What have other control
system attacks looked like? Last spring, Israeli authorities warned that Iranian operators made an attempt
on water treatment in wastewater facilities in two rural districts in Israel. They weren't fully
successful. The Council of Foreign Relations has a summary of that incident on its site.
There was another incident in which the controls of a small flood control dam in Rye, New York,
were remotely accessed. In 2013, the Bowman Street dam's controls were accessed.
The U.S. would ultimately indict an Iranian cyber operator for that action.
Many have commented that leaving the supervisory controls of a water treatment system
open to remote access is extraordinarily risky.
See, for example, comments to that effect by TechCrunch's Zach Whitaker.
Such systems had long been relatively immune to cyber attack
because their age and the legacy control systems they employed effectively air-gapped them.
Austin Berglas is former head of FBI New York Cyber
and currently global head of professional services at Blue Voyant.
He offered some perspective, quote,
Digitization and IoT expansion have allowed for previously isolated infrastructure to be remotely accessed.
For example, water and utilities need to balance security
while allowing operators the ability to remotely access treatment plant SCADA systems
from phones, work, and computers in order to react to alarms and
respond to incidents without having to be physically on site.
As was the case with the Florida incident, no real harm was done by the Bowman Street
Dam hack.
Berglas thinks it likely that the attack on the small sluice gate in Rye just afforded
a proving ground to test capabilities and techniques. And again,
when asked about possible attribution of the Oldsmar attack, he sensibly said simply,
too early to tell. Drago's CEO Robert M. Lee also cautioned against both premature speculation
about attribution and thinking that a challenge like this could be addressed with any single
simple solution. It's a systemic problem with many interdependent aspects. Quote,
hiring, workforce development, culture shifts, working within national priorities and regulations,
state and local regulations, resourcing other areas that are organizational challenges,
modernizing infrastructure beyond cyber, and so on,
there's not one easy answer, tech or not.
It's troubling, for example, to think that in this case
the safety of a water supply depended upon one watchstander
happening to notice that something was briefly unusual on his screen.
Dragos has published a set of considerations and recommendations
other utilities might well consider,
a sensible mix of suggestions for blocking remote access
and improving user training.
Palo Alto Network's Unit 42 published this morning
an account of a polymorphic malicious shellcode
they're calling BendyBear.
They associate the code with the activities of black tech
a threat actor widely believed to be run by chinese intelligence services bendy bear has
some similarities with the water bear family of malware in use since 2009 huawei ceo ren
zheng fei has said cnbc reports that he would welcome a phone call from U.S. President Biden, one sovereign to another.
And, just as it is with handshakes, the junior sovereign would call upon the senior sovereign.
They could talk about international cooperation and mutually beneficial development and stuff.
The Army Cyber Institute at West Point, the ACI,
was created to provide the U.S. Army with research on cyber-related challenges and to provide a mechanism for collaboration between
the government's military branches and the private sector. To learn more about their mission,
I checked in with ACI's Chief of Staff and Technical Director, Colonel Stephen Hamilton.
It was started at West Point in 2012. And the idea was, it was before we had the cyber branch,
we were, the Army was trying to get its handle around how to employ cyber.
And the Institute was stood up here by, I believe it was General Ordierno when he was the chief of staff of the Army.
And the idea was to harness some of the intellectual power and capital at West Point to be able to put toward this difficult problem that a lot of Army leaders just didn't have awareness of and didn't understand because we were still trying to figure it out. So it was
created in 2012 with a small team. It was kind of born out of the Electrical Engineering and
Computer Science Department, which used to have this organization called the ITOC, the Information
Technology and Operations Center. So it was born out of that. That's where some of the personnel
came from. And then we've slowly built it up over the years and it's become its own standalone
entity outside of a department. We do have a few personnel that teach within the departments
at West Point, but we're a standalone organization that reports directly to the superintendent so we
don't fall under the dean's office. And what role does it play now in terms of
the interaction with the cadets and the staff there at West Point? What is the Army Cyber
Institute's place there? So we're kind of multifaceted. So with regards to West Point,
as I said, we do teach and we also sponsor various projects. We sometimes work with capstone projects that the cadets work on.
But in the big Army scheme, if you look at the cyber organizations, there's Army Cyber Command, which is the cyber force that we have.
Then we also have the Army Cyber Center of Excellence, which is the training piece.
So the initial training that cyber operators get when they come into the Army
or when they get commissioned from here, even from West Point. So once they get the training,
then they go into Army Cyber Command from there. We fall outside of both of those organizations.
And the idea is that while CCOE is actually doing the training and the R-Cyber is actually
conducting the operations, we're outside of both of those realms so that we can kind of look ahead and figure out what are strategic problems, what are things that need to be solved that just can't be solved by somebody who's, if you were to say, in the fight.
So you think of the cyber operators, they're doing the day-to-day mission.
We're not conducting cyber operations from here.
doing the day-to-day mission. We're not conducting cyber operations from here. Instead, we're looking out like what are the things that we need to be researching and informing the Army on
to better enable us to be prepared in the future. For folks who want to learn more about what you're
up to, if I'm thinking of some of our listeners who may be parts of other organizations, academic
institutions or otherwise, what's the best way for them to reach out? If they go to our website, that would be one way, and they could reach out on there,
which is cyber.army.mil. And we have a pretty good PAO presence. Our PAO is real good about
getting us on social media. So I think that we have a Facebook and a Twitter account as well. They can follow
us there and get information. But yeah, we definitely welcome industry partners if they
have any interest in working with us. In fact, yesterday, we just had a call with FireEye
to discuss opportunities to partner with them. So yeah, we're actively looking at, you know,
just trying to figure out what is the latest, what's the things we need to be letting the future leaders know, which is our cadets here, and then what is
it that we need to be talking to the Army directly about, so we can filter all that out and get
people connected the right way so we can advance our mission. That's Colonel Stephen Hamilton
from the Army Cyber Institute at West Point.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
You and I have been, I would say, perhaps obsessively tracking this whole story about the surveillance plane that flies over Baltimore.
Yes, obsessively tracking this whole story about the surveillance plane that flies over Baltimore. Yes, obsessively, definitely.
The Cessna eye in the sky and what that could mean to privacy and surveillance and all those
things. Interesting article here from the Baltimore Sun. It's titled, Texas philanthropists
say they're backing out of financing surveillance plane technology that flew over Baltimore.
What's going on here, Ben?
Yeah, so I think this might be the coda, the end note,
to the era of the surveillance Cessna in Baltimore City.
So the first thing that happened was that the new mayor of Baltimore,
Brandon Scott, has always been opposed to this program.
He was when he was president of the Baltimore City Council.
So he decided to discontinue this program after its two trial runs,
saying, you know, not only was this program,
did this program potentially produce constitutional concerns,
but also most crimes in Baltimore happen at night
when these planes are not flying above the city.
What this article gets at is the philanthropists from Texas
who funded this surveillance system, this network,
are backing out of financing this type of technology.
And this presents some problems.
These philanthropists were named Laura and John Arnold.
They are billionaires.
They had set up Arnold Ventures in Texas to help support these
programs. And even though this surveillance program is being discontinued in Baltimore City,
the founder of this program, a former military guy named Ross McNutt, is trying to introduce it in
other high crime cities across the country, including St. Louis, Missouri. And even though St. Louis was
about to vote on whether to adopt, at least for a trial run, the surveillance system,
the Arnold Ventures has now pulled the rug out in terms of monetary support. So Mr. McNutt is
going to have to look elsewhere. Perhaps other venture capitalists, billionaires with a lot of money
who are willing to fund this program.
But this potentially, in my view, could be the death knell for the aerial surveillance system.
It certainly already has been in Baltimore.
It'll be interesting to see if it is across the country as well.
Yeah, it's interesting.
They did an audit of this system.
It was an audit from the Policing Project of New York University. So they did an independent audit. And one of the things they note in this article is the audit also found police relied on supplemental reports to justify following suspects beyond the point of an initial crime.
of an initial crime.
It said that police used the planes to track suspects long after the initial crime, sometimes for multiple days, which was not approved by the initial agreement.
So it's kind of that thing you and I talk about when it comes to the slippery slope
of surveillance, where if you give someone a tool that enables them to do something,
they're going to do it.
You agree upon a set of guidelines,
guardrails, if you will. So often is the case that they press against those guardrails or step right over them. Yeah, absolutely. And, you know, this is certainly something that's foreseeable.
Obviously, law enforcement is going to benefit from this technology, but if it exists and if
there isn't proper oversight,
and if the court system moves slowly as it relates to particular cases,
then it certainly is ripe for misuse or potentially abuse.
So that's why you just have to be very careful
before you're willing, as any jurisdiction, to employ this type of tool.
Because there's always going to be that potential that it's
going to be used beyond the original scope of authorization.
What do you think about the process here?
I mean, the outcome that somebody had an idea, they got someone to fund that idea.
The idea was tried.
It turned out to not be successful.
The people who were supposed to benefit have said,
we're not really interested in that.
The funding gets pulled.
I mean, did things play out in the way that they're supposed to?
In some ways, yes.
You know, this was adopted through a democratic process, at least in Baltimore City.
I mean, it was a decision that was made by elected leaders.
So it's not like Mr. McNutt just started flying the plane himself.
Right, right.
There is something that maybe
rubs me the wrong way about
billionaires that are not from
the jurisdiction funding a
project where a city
can potentially spy on
its citizens.
I don't know if that's a flaw
in the process or just sort of something that instinctively
makes me a little bit skeptical, if that makes sense.
Yeah, yeah, yeah, absolutely.
All right, well, if you're interested,
the article is over in the Baltimore Sun
written by Emily Apilo.
It's Texas philanthropists say they're backing out
of financing surveillance plane technology
that flew over Baltimore.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Keep your head in the clouds and your feet on the ground.
Listen for us on your Alexa
smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup
studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.