CyberWire Daily - Bahamut’s hackers-for-hire. SlothfulMedia looks made-in-China. Domains run by IRGC seized. Phishbait uses current events as chum. Who dunnit? Not us, or rather, prove it, says Moscow.
Episode Date: October 8, 2020Add the Bahamut cyber mercenaries to the shadow armies for hire in cyberspace. Reports associate the SlothfulMedia RAT with Chinese intelligence services, and claim that it’s being used against Indi...a and China. The US takes down domains the Islamic Revolutionary Guard Corps uses to push disinformation. Trends in phishbait. Caleb Barlow rethinks a TED talk he gave a while back, given what we’ve learned from COVID-19. Our guest is Dr. Greg Rattray from Next Peak on 'Advanced Persistent Threats' a term, by the way, that he coined. And Moscow says, hey, we don’t meddle in anyone’s elections. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/196 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. the shadow armies for hire in cyberspace. Reports associate the slothful media rat with Chinese intelligence services.
The U.S. takes down domains
the Islamic Revolutionary Guard Corps
uses to push disinformation.
Trends in fish bait.
Caleb Barlow rethinks a TED Talk he gave a while back,
given what we've learned from COVID-19.
Our guest is Dr. Greg Rattray from NextPeak
on advanced persistent threats,
a term, by the way, that he coined.
And Moscow says, hey,
we don't meddle in anyone's elections.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, October 8th, 2020.
BlackBerry yesterday published its research into the activities of Bahamut, a threat group regarded as a mercenary operation,
unusually sophisticated and patient. Its customers, or true sponsors as BlackBerry calls them,
remain unknown. It's engaged in cyber espionage and disinformation, and its operations are marked
by extensive reconnaissance, concentration on particular targets, and attention to detail.
It prefers phishing to malware, but it shows unusual, and attention to detail. It prefers
phishing to malware, but it shows unusual savvy with respect to zero days when it decides to
deploy those. The attention to detail shows up, for example, in the apps and websites Bahamut
devises. In an underworld where goons can scarcely be bothered to care a little about
spelling, still less about
idiomatic control, and not at all about the legal folly swaddles in which the squares and flats
ensconce their commerce. Bahamut's stuff comes complete with, as BlackBerry puts it,
well-designed websites, privacy policies, and written terms of service. Not only do these
provide the corroborative detail that lends verisimilitude
to what would otherwise be a bald and unconvincing narrative, but that verisimilitude also helps
Bahamut pass through safeguards both Google and Apple have in place. Big Tech's walled gardens
are as open to Bahamut's wares as a locked door is to a ghost. The group is most active in the Middle East and South Asia.
Given their patience and sophistication,
so unusual in the short-sighted get-it-now underworld of the typical cybercriminal,
why do BlackBerry and others not read Bahamut as just a nation-state's espionage service?
The techniques convincingly suggest a single actor,
but BlackBerry says the lack of discernible pattern or unifying motive moved BlackBerry to confirm the group is likely acting as hack-for-hire mercenaries.
BlackBerry sees Bahamut as a leading example of the outsourcing of cyber espionage and disinformation,
attractive not only for its capabilities but also for the deniability it brings.
attractive not only for its capabilities but also for the deniability it brings.
Bellingcat began to take notice of Bahamut in 2017 as the actor behind a series of spear-phishing emails in English and Farsi
directed to human rights activists in the Middle East.
So the group is not a new one.
Cyberscoop, in its account of BlackBerry's research,
offers a review of other mercenary actors,
but Bahamut really does seem to set the standard.
CyberScoop has a follow-up to earlier warnings by the U.S. Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency and U.S. Cyber Command's Cyber National Mission Force.
Last week's warnings concerned slothful media, a remote-access trojan, that is, a rat,
used in cyber espionage campaigns. CyberScoop reports that sources in the U.S. government
have told it, on background, that slothful media is indeed associated with the Chinese government.
It's been used against both India and Russia, and the U.S. officials who spoke with CyberScoop
are particularly interested in seeing it become generally known that Beijing is actively and aggressively spying on Moscow.
The enemy of my enemy isn't really my friend, but on the other hand, it is my enemy's enemy.
The U.S. Justice Department last night announced the seizure of 92 domain names that Iran's Islamic Revolutionary Guard Corps, the IRGC, had been using in global disinformation campaigns.
The domains were used to create fake persona, misrepresenting themselves as independent news services.
Four of the domains hosted bogus news outlets the IRGC used in attempts to influence U.S. foreign and domestic policy.
So that's just the IRGC putting its opinions forward, one might say. Is that a crime? Well,
actually, in this form, yes. Specifically, it's a violation of the Foreign Agents Registration Act,
so it's the imposture that's the crime, not necessarily the content.
The other 88 domains taken in the seizure hosted equally phony news services that went after
audiences in Western Europe, the Middle East, and Southeast Asia. Justice credits Google with
alerting them to the campaign, citing it as a good instance of public-private cooperation.
The takedown itself was a cooperative effort of the FBI, Google, Twitter, and Facebook.
The FBI's special agent in charge who directed the Bureau's part of the operation said,
quote,
monetizes maintaining an ongoing relationship with a variety of social media and technology companies.
These relationships enable a quick exchange of information to better protect against threats to the nation's security and our democratic processes.
End quote.
But what does it look like when a domain is seized?
Well, it looks like this.
Should you navigate over to any of the sites the Bureau took down,
you'll see a page with the headline,
This website has been seized.
The explanation below the screamer and above the seals of the Department of Justice and FBI says,
This domain has been seized by the Federal Bureau of Investigation pursuant to a seizure warrant
issued by the United States District Court for the Northern District of California
under the authority of 18 U.S.C. 981b
as part of a coordinated enforcement action by the United States Attorney for the Northern
District of California and the Federal Bureau of Investigation. So there. And finally, TASS is
authorized to disclose that accusations of Russia's interference in foreign elections are groundless,
baseless, and without foundation.
That's not necessarily the same thing as false,
so call it a see-em-and-call, non-denial denial.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
It is not often when conducting an interview for our show that I am stopped in my tracks with a... I'm sorry, wait, what?
But that's what happened when I was chatting with Dr. Greg Rattray,
co-founder and CEO at cyber advisory and operational services firm NextPeak,
when, in the midst of our conversation
about APT's advanced persistent threats, he offhandedly and, might I add, quite modestly
mentioned that he was, in fact, responsible for coining the term. At the time, I was the head of
what's called the operations group of what was then the Information Operations Center, or Information Warfare Center.
And, you know, we had been experiencing what at that time was treated as very sensitive information,
no longer sensitive that the Chinese conduct cyber espionage, but at the time sensitive.
And we had become increasingly concerned about the risk not only to Air Force
systems or DOD systems, but to the defense industrial base. And a particular incident,
which I'm probably not at liberty to go into the specifics of, had really caught the attention
of the leadership in their decision made to bring in people from a lot of our primary
Air Force contractors to talk to them about the nature of the cybersecurity concerns we
had and we thought that they would have too.
And we wanted to do that in an unclassified fashion with the CISOs and the CIOs of these
companies. So it led to, you know, preparing a presentation.
And in order to characterize what was different than what we thought they might be dealing with,
which they thought they were just dealing with one-off hacking incidents,
but that we felt like we had an adversary that was conducting long-term focused,
you know, now we call cyber operations, but,
you know, penetration operations, we came up, we decided, and we coined the term, or I coined the
term advanced persistent threat, really just to create a construct for a conversation about what
was different and of the nature of what we were
experiencing now from these sort of one-off hacking incidents.
And I guess the term stuck and it really kind of took off from there.
Yeah, I think the way it sort of took root was, as you may well know, there was a concerted
effort really from that point forward to partner with industry.
That was an Air Force term which turned into a DOD-wide effort to partner with the defense industrial base,
which still is a major element of DOD relationships with its contractors.
And, you know, in those conversations, we sort of went to this sort of introductory conversation we had had and kept using that terminology APT, right?
You know, and that sort of got out, I think, that the collaboration was there and people started to report on it.
And in the conversations, people kept using that term. So I think it was sort of through those origins that the term took root in the dialogue,
first sort of internal to the DoD partnerships with this industry,
but then more broadly in the cybersecurity community.
This evolution of the APT is sort of what we need to understand now and not use it too narrowly.
That's Dr. Greg Rattray from NextPeak.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Caleb Barlow.
He is the CEO at Synergistech.
Caleb, it's always great to have you back. I want to touch base with you.
You know, a while back, you gave a TED Talk that had to do with large-scale cyber events.
to do with large-scale cyber events.
And you and I were talking recently about how recent events have made you
sort of look back and think about
maybe if you had to do some updates
on some of your conclusions from back then.
Can you share your line of thought with us?
Oh boy, Dave.
Well, what I said in this TED Talk was that,
hey, the way we need to respond
to a large-scale cybersecurity incident,
like let's take a NotPetya-level incident, was that we need to respond to a large-scale cybersecurity incident, like let's take a not-Petea-level incident,
was that we needed to think about it like how you'd respond to a pandemic.
You know, governments and private institutions would get together
and would really rally around the cure and would share information openly and widely,
and that's what we needed to do more of in the cybersecurity industry.
Well, that TED Talk got a ton of listens and a lot of kudos for that kind of thinking.
But of course, now we have pandemic.
And it's not going so hot.
In fact, I'm kind of looking at Dave going, maybe we need to rethink that thesis.
So I started really thinking about this
and kind of flipped it upside down and backwards and said,
okay, well, there's some things
that aren't working in the pandemic.
Could we learn things from that
that could inform how we respond
to a cyber attack of significance that's global in nature?
You know, again, take a not-Petya level event
that goes on not for days, but for many
days, right? And the first thing we have to realize is the internet now is the critical
infrastructure. It's how we educate our children, literally right now, at least in my household.
It's how we go to work. It's how we make money. It's how we educate ourselves. It's how we shop.
It's how we educate ourselves.
It's how we shop.
It can't go down, right?
So it trumps all other critical infrastructures.
And, you know, if we think of a COVID-19 response, well, it requires a whole of nation response as well as you need multiple nations to get together to rally around a problem.
And you probably also need the private sector.
Well, one of the first things we can learn that we've got to figure out in our planning is
who the heck is in charge, right? I mean, we're seeing arguments at the state and local level
in this. We're seeing arguments and even competition between countries as we look for a cure.
Now's the time as cybersecurity professionals to say, hey, if this happens on our security watch,
we've got to figure this out ahead of time. And all the more important to, you know,
join your local InfraGard chapter and connect with law enforcement,
build those relationships with government entities and, you know, really lean into the
ISACs more than we've ever thought of before
to build that connective tissue. But we're going to have to think about at the governmental level,
who is in charge? Because if we don't know who's in charge, then everybody goes off kind of doing
their own thing. And we're frankly seeing a lot of that in the response to this pandemic.
I can't help wondering, I mean, is part of this
process making it so that the process itself is independent of the leadership skills or lack
thereof, whoever may be in charge at the time? Because as we've seen, certainly globally,
there's been a wide spectrum of responses from different nations. And a lot of that has been
coming from whoever's at the top. And a lot of that has been coming from
whoever's at the top. Well, one of the things you learn about with, you think about any form
of crisis response. So whether we're, and we've talked about this on this show before, right?
Whether we're talking about crisis response that's used in fire and EMS or the military,
the first principle in most of those doctrines is you work the problem with who's in the room and who is the most skilled,
not who has the highest level title, right?
So, and this is the difference, I think,
between a lot of business decision-making
and crisis decision-making.
You want the decision to be made quickly.
You want it to be made with people that have high skills
and you want to be able to change the decision
if you're going down on the wrong course and new evidence leads you a different
direction.
So probably the first thing we have to recognize is that a lot of the decision-making we need
to make in a large-scale cybersecurity incident probably isn't held with governors and the
executive branch of the United States government.
It's probably held in
private sector enterprises. It's probably held in ISACs where people can be both better informed
of what's actually happening, but also you've got security professionals making some of those
decisions. And that's a gigantic shift from how we think about your typical emergency response today.
So should we be looking at some sort of global tabletop exercise?
Well, it's not a totally bad idea, especially if the exercise extends into both the public
and private sector. There's some other things we've learned in this crisis, though, that we've
got to figure out. It isn't just sitting down and laying out our runbooks. Like, how are we going to counter disinformation?
Now, this is something as a security professional I have never really thought about before.
But one of the things this pandemic taught us is that we're going to have to have very robust tools,
not only to communicate with each other when the internet is potentially down, which by
the way is not easy, but also we're going to have to make sure we can communicate at levels of trust
and counter disinformation that may be coming from other governments, from the bad guys, from
here, there, and everywhere. And that's something I don't think is in anybody's runbook today.
Yeah, I mean, it's fascinating the lessons that we've learned here, isn't it? And that's something I don't think is in anybody's runbook today. Yeah.
I mean, it's fascinating the lessons that we've learned here, isn't it?
It really is.
But here's the thing.
Let's not let the crisis go to waste and let's see what we can learn from it.
Yeah.
Yeah.
All right.
Well, Caleb Barlow, thanks for joining us.
Thanks, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, it'll keep
you informed, and it takes a licking and keeps on ticking. Listen for us on your Alexa smart speaker
too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yelland, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to