CyberWire Daily - Apparent cyber sabotage at Natanz. Arrest made in alleged plot to blow up AWS facility. Scraped data for sale in criminal fora. US senior cyber appointments expected soon.
Episode Date: April 12, 2021Iran says Israel was responsible for sabotaging the Natanz nuclear facility yesterday, and Tehran promises revenge. Online plotting results in the arrest of a Texas man alleged to have planned an atta...ck on an Amazon Web Services center. Scraped, not hacked, data from LinkedIn and Clubhouse are being hawked online. Andrea Little Limbago from Interos addresses asymmetric power within cyberspace and how that plays out in warfare. Our guest is Giovanni Vigna from VMware on the takedown of the Emotet infrastructure. And the US moves to fill senior cybersecurity positions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/69 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iran says Israel was responsible for sabotaging the Natanz nuclear facility yesterday,
and Tehran promises revenge.
Online plotting results in the arrest of a Texas man alleged to have planned an attack on an Amazon Web Services center.
Scraped data from LinkedIn and Clubhouse are being hawked online.
Andrea Little-Limbago from Interos addresses asymmetric power within cyberspace and how that plays out in warfare.
Our guest is Giovanni Vigna from VMware on the takedown of the Imhotep infrastructure.
And the U.S. moves to fill senior cybersecurity positions.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 12, 2021.
Two kinetic incidents of importance surfaced over the weekend.
Both had at least one foot in cyberspace.
In the first, Iran's Natanz nuclear facility sustained an apparently deliberately planned explosion and power outage Sunday, according to the New York Times.
Iran had just begun on Saturday injecting gas into the new generation uranium enrichment centrifuges at Natanz,
testing marked National Nuclear Day in Iran.
A member of Iran's parliament said, quote,
The blackout in Natanz on the anniversary of National Nuclear Day is suspicious and may be due to sabotage
while Iran is trying to convince the Western countries to
lift the sanctions. While decrying the outage as sabotage and an act of terror, even nuclear
terror since Natanz is a nuclear facility, specifically one devoted to uranium enrichment,
Iranian authorities did not immediately assign blame. Israeli media, however, unofficially attributed the incident to an Israeli cyber attack
and cited anonymous Western intelligence sources as telling them that the sabotage had been a Mossad operation.
Whether those sources were Israeli or from other countries is so far unknown.
The Wall Street Journal reports that this morning Tehran
did the same and promised revenge against the Zionists. So there's no longer any doubt about
whom Iran sees as responsible for the explosion. The Washington Post quoted an unnamed senior U.S.
official as saying, we have seen reports of an incident at the Natanz enrichment facility in Iran.
The United States had no involvement and we have nothing to add to speculation about the causes.
Israel, of course, didn't and isn't expected to publicly avow any role in the incident.
CNN, reading between the various lines, thinks that Israeli Army Chief of Staff Aviv Kochafi
alluded to the operation in a sideways fashion
a few hours after Iran reported the explosion
when he said in a speech that Israel's, quote,
operations throughout the Middle East
are not hidden from the eyes of the enemies, end quote.
He added, they are watching us,
seeing the capabilities and carefully considering their steps.
The Natanz facility, which Iran maintains is a peaceful nuclear research facility,
but which many observers think is a nuclear weapons development operation,
has been subjected to cyber attack before.
The Stuxnet tool, widely believed to have been developed by 2009
and subsequently introduced into Natanz in a joint Israeli-U.S. operation,
disabled centrifuges at the installation by affecting the Siemens programmable logic controllers used in the enrichment process.
The other incident involved the arrest Thursday of a Texas man whom the FBI says attempted to buy explosives from an undercover FBI employee,
allegedly intending to blow up an Amazon Web Services facility in Virginia.
Bleeping Computer says that the Bureau identified the man's plans
from posts he'd made in January on the MyMilitia site.
A third party also tipped off the FBI that the suspect, one Seth Aaron Pendley,
had communicated in a signal message
an interest in buying C4, the record reports.
C4 is a kind of plastic explosive
which uses RDX as its principal ingredient.
It's a military explosive
that's also been used in terrorist bombings.
The Justice Department said
in a Friday press release announcing the arrest and the charges that Mr. Pendley explained in a
signal message that he was planning to use C4 to attack Amazon's data center, which he felt would,
as he put it, kill off about 70% of the internet. Of course, to use C4, one must get C4. And one of Mr. Pendley's
online contacts, one whom Justice describes as a confidential source, put Mr. Pendley in touch
with a potential supplier, who was, of course, an undercover FBI employee. According to the
Justice Department, quote, in recorded conversations, Mr. Pend When he met the undercover employee on April 8th,
Mr. Pendley picked up what he believed to be explosives, but which in fact were just inert materials.
He had the undercover employee show him how to arm and detonate the phony explosives, and he then loaded them into his car, at which point the FBI arrested him.
Information from both LinkedIn and Clubhouse is being offered for sale in criminal
markets. In both cases, the data appear to be publicly available and to have been scraped.
Both LinkedIn and Clubhouse have convincingly denied being breached.
The data on offer appear to be what the media's users would have themselves made public.
appear to be what the media's users would have themselves made public.
And finally, President Biden will appoint NSA alumni to senior cybersecurity posts,
The Washington Post reports.
Chris Inglis will serve as National Cybersecurity Director,
and Jen Easterly will serve as CISA Director.
Easterly was among the NSA officials involved in establishing U.S. Cyber Command almost 10 years ago.
Inglis has served for eight years as NSA Executive Director, the second-ranking official in the agency.
As the first National Cyber Director, a role created late last year by Congress in response to recommendations developed by the Cyberspace Solarium,
his role will be coordination of civilian agencies' cyber defense
and review of the relevant portions of their budgets.
The position is outside the National Security Council,
and so Inglis will not be responsible for overseeing offensive cyber policy
as executed by military services and the intelligence community.
and the intelligence community. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak. Learn more at blackcloak.io. The recent international law enforcement effort to take down the Emotet botnet
has by all accounts been remarkably successful. Time will tell if Emotet's operators are able
to reconstitute the botnet or who might step in to fill the vacuum left in the takedown's wake.
Giovanni Vigna is director of VMware's NSBU Threat Analysis Unit,
and he joins us with insights on what he and his team have been tracking.
Emotet is one of the most prevalent malware,
and it has been around for a substantial amount of time and has evolved in many different ways.
I mean, this is common with malware. There are groups that are responsible for a piece of malware.
Often they sell access through their malware, so like installation as a service.
their malware, so like installation as a service. Sometimes they change their tactics, sometimes they change their code to avoid detection, to avoid being profiling. So actually it's a big part of
any threat intelligence analyst to sort of, you know, follow this lineage and understand
how a particular threat evolves. However, this particular threat was egregious because of the size of the pool of machines
that were infected and the success that it had in collecting victims and therefore data
that was then monetized in many different ways from information personal information
access to credit card fraud from banking fraud to ransomware the whole system had
different aspects depending on the time and place how successful has law
enforcement been in their takedown of Emmet at I think they've been very
successful of course you know the real success in this operation is the enforcement been in their takedown of Emotet? I think they've been very successful. Of course,
you know, the real success in this operation is the apprehension of actual human beings. So
this can really stop when people are in jail. Of course, you can also really destroy or
dismantle, I would say, the infrastructure.
And that's what we observe in our telemetry.
So just to give you a little bit of background
as being the threat intelligence group
and under my direction,
we keep tabs on what we call the threat landscape.
And so we constantly look at data
that comes from our customers, from the open source environment to see what are the most seen pieces of malware?
What are the most common type of CNC communication?
And we have, of course, Elasticsearch and a bunch of different algorithms to identify what are the most relevant threats.
a different algorithm to identify what are the most relevant threats. And we saw with the takedown, Emotet for being like the most obvious prevalent threat to completely disappear.
And so this is a sign based on data, since we're data scientists too, that actually the takedown was effective. However, we will only know in the months following
when we will see, for example, arrests, convictions,
or actual operators of this type of threat.
That's Giovanni Vigna from VMware's NSBU Threat Analysis Unit.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Andrea Little-Limbago.
She's the Vice President of Research and Analysis at Interos. Andrea, it's always great to have you back.
I am fascinated by the asymmetry of power within cyberspace, how things in cyber allow folks who otherwise would not have been able to have the influence on the world that they would have to have now.
In the old days of building battleships and aircraft carriers,
you can have influence in cyber without having to build a battleship or an aircraft carrier, right?
No, absolutely.
And it really, it's one of those aspects, I think,
of cyber that gets overlooked quite a bit.
We say a lot, the notion of asymmetric power,
and we think very often of, say, North Korea and power, and we think, you know, very often of, say,
North Korea and Iran, even Russia,
if you look at their economy size,
to have really this outsized impact on global affairs.
And, you know, it's really changing warfare
and geopolitics enormously.
I think much more so than is normally appreciated.
And we have this big push right now
on major power competition,
and that is 100% understandable.
Absolutely, there are a lot of areas of competition
going on between the US and China,
but I worry that we lose sight
on how other trends may be going on,
especially through this notion of asymmetric power
and how that's also shifting geopolitics.
And so that's just something
I've been looking at a little bit, especially when thinking
about not just through cyber, but also cyber and emerging technologies and how they're
integrated together and how that's really changing the evolution of warfare really,
really quickly.
It's one of those things that a lot of people think is more so in science fiction, you know,
10, 20 years from now, maybe at the earliest, but it's really, it's going on now.
And so it would be unfortunate to overlook it. I think also it would be myopic
because it's going to be disrupting all aspects of both, you know, national security, economic
security, global trends, all of those. It's having, it's reshaping a lot of different aspects of the
world right now. Can you give us some examples? Yeah, definitely. And the one that I've been
looking at a bit is just the use of drones in warfare.
And again, it's one of those things, you know, several years ago, a drone was associated with an attempted coup in Venezuela, if folks remember that.
And then we kind of didn't hear about drones very much so other than, again, and sort of these stories that we're looking ahead.
But what we saw over the last year was signs of drones being used
in numerous regional conflicts.
And a couple of them,
Armenia and Azerbaijan,
the conflict going on there,
there was drone footage
that was identified
as having a potentially decisive role
in the outcome of that.
And one, you can think of both
through the lens of warfare
and that some were even saying
to the point that it made tanks irrelevant.
And so not sure I'd go that far quite yet, but when you do have a drone targeting tanks,
that mental model really does have to shift very quickly in looking at how technology is shaping and innovation or reshaping warfare.
So that's just one example.
In the Tigray region in Ethiopia, there have been claims of drones there with some footage posted on social media.
In Western Sahara and Morocco,
where there's a fight over territory. And that's actually this, you know, a lot of these are fights
over territory, which is also something that's re-emerging. And I think that this asymmetric
notion of power is actually helping that. There as well, there are some drones used in that regional
conflict. And so that's just over the last year. And I imagine we'll see many more in the years to
come. But when you look at that, so one,
it's shifting the nature of warfare, but it's also shifting the nature of who's making these drones,
right? And so it gives the power to those who are the ones largely making all these drones.
And right now, China really has quite a lock on a lot of that market. Although in these
conflicts I just mentioned, some of the producers range from UAE to Turkey or Israel.
So there are a lot of different companies,
or countries out there making them,
and there actually right now are about 100 countries that have drone capabilities on the military end.
So it's not something that is just a few and far between.
Because it's cheap to have an outsized impact,
it's another area.
But you can imagine down the road
what happens when drones get compromised.
What about in terms of setting policy
for conflict in general?
I mean, I'm thinking that a nation
might have much less resistance to starting a war if we don't have to send soldiers, we don't have to send pilots, we don't have to send sailors, that all that can be handled by these, you know, remote vehicles and even robots, you know?
Yeah, well, I mean, there have been some studies already.
I mean, there's some websites that track the U.S. usage of drones, which has increased quite a bit over the last decade.
And there has been some additional studies showing that by taking the human out of the loop, it does make people, policymakers, leaders, less restricted in their use of it. a lot of human and ethical components that go along with it and more policies that need to be made
to regulate basically the proper use
in the rules of warfare going ahead
and when it might be acceptable,
when is it justified
as far as within the terms of warfare
and when is it unjustified.
And that's something that's been a challenge
throughout history
as technology changes and evolves.
What is just and unjust warfare?
And this is the latest example.
And it's starting to get some attention,
but there's a whole lot more work
that needs to be done in that area
because it's absolutely right.
When you take your own human loss out of it,
it does alter the calculus, very much so.
All right, well, Andrea Little-Limbago,
thanks for joining us.
All right, thank, Andrea Little-Limbago, thanks for joining us. Great. Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
You asked for it, you got it.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence.
And every week we talk to interesting people about timely cybersecurity topics.
That's at RecordedFuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Thanks for listening. We'll see you back here tomorrow. Thank you. are not only ambitious, but also practical and adaptable. That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.