CyberWire Daily - Bloomberg reports a seeding attack on the supply chain by Chinese intelligence services. GRU is named, shamed, indicted, and expelled.
Episode Date: October 4, 2018In today's podcast, we hear that Bloomberg reports that a Chinese hardware hack has infested sensitive US supply chains. Dutch authorities expel GRU officers for attempting to hack the international b...ody investigating the nerve agent attacks in Salisbury. Australia, the UK, and Canada all finger the GRU as responsible for high-profile cyberattacks. The US indicts seven GRU officers for a range of hacking-related crimes. Craig Williams from Cisco Talos with tips on getting the most out of security conferences. Guest is Oussama El-Hilali from Arcserve with thoughts on business continuity and disaster recovery.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bloomberg reports that a Chinese hardware hack has infested sensitive U.S. supply chains.
Dutch authorities expelled GRU officers for attempting to hack the international body
investigating the nerve agent attack in Salisbury.
Australia, the U.K., and Canada all finger the GRU as responsible for high-profile cyber attacks.
And the U.S. indicts seven GRU officers for a range of hacking-related crimes.
a range of hacking-related crimes.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 4th, 2018.
Chinese cyber operations against the U.S. are scheduled to come front and center when
U.S. Vice President Michael Pence delivers a speech laying out the American
case against China for influence operations directed at the coming midterm elections.
But a report this morning by Bloomberg offers some startling allegations.
The news organization's investigation alleges that China succeeded in compromising U.S.
computer hardware supply chains with maliciously crafted chips.
The chips, Bloomberg says, were found in motherboards of servers intended to handle, among other things,
US government files, some regarded as sensitive.
They turned up in equipment made for Amazon, which apparently alerted US authorities of suspicions about the hardware,
and for Apple. Video encoding shop Elemental Technologies,
since 2015 an Amazon subsidiary now known as Amazon Prime Video, engaged Supermicro to assemble its
servers. Supermicro used several Chinese subcontractors in the process, which is where
the compromise is thought to have occurred. Bloomberg says Amazon noticed something
fishy, very small chips on the motherboards not part of the design, after it acquired Elemental
and undertook a routine security review of the equipment that Elemental engaged California-based
Supermicro to build for it. Their tip to the government opened an investigation, Bloomberg
calls it top secret, that remains open three
years later. Among the results Bloomberg reports is a finding that the chip established a persistent
backdoor into the system on which it was mounted. If this is what happened, it would be a seeding
attack, with malicious hardware placed upstream in the supply chain, where it would eventually
find its way into targeted systems. The other class of hardware attack that's sometimes discussed is an interdiction attack,
in which finished devices are altered while they're in transit between manufacturer and end-user.
Some 30 companies in various sectors are thought to have been affected,
and super-micro hardware is used in a wide variety of systems, including some used by the U.S. military.
Apple and Amazon Web Services are both said to have been affected
and both strongly denied to Bloomberg that the incident ever occurred.
Amazon said, quote,
Amazon also told
news outlets in France that, quote, at no time past or present have we ever found any issues
relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or
Amazon systems, end quote. Apple wrote, quote, on this we can be very clear. Apple has never found malicious chips, hardware manipulations,
or vulnerabilities purposely planted in any server, end quote.
Supermicro said, quote,
We remain unaware of any such investigation, end quote.
For its part, the Chinese government deflected direct questions
about what did or did not find its way into Supermicro hardware,
issuing a pious statement about logistics that said in part,
quote,
No comment from the FBI or the Office of the Director of National Intelligence,
but Bloomberg is standing by its story.
Its notes on sources are interesting and worth quoting.
Quote,
Six current and former senior national security officials who,
in conversations that began during the Obama administration
and continued under the Trump administration,
detailed the discovery of the chips and the government's investigation.
One of those officials and two people inside AWS
provided extensive information on how the attack played out at Elemental and Amazon.
The official and one of the insiders also described Amazon's cooperation with the government investigation.
In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim.
In all, 17 people confirmed the manipulation of Supermicro's hardware
and other elements of the attacks.
The sources were granted anonymity because of the sensitive
and in some cases classified nature of the information.
End quote.
Concerns about supply chain hacking with malicious hardware
have worried U.S. government policy advisors for more than 10 years,
with studies from Sandia National Laboratories and elsewhere pointing out the potential threat.
That threat may have been realized.
President Trump and his administration have made no secret of their concerns
about Chinese hardware in the supply chain,
and have made that hardware a focus of trade sanctions,
with the confident hope that manufacturers will move to other suppliers.
Switching gears a bit to more routine protection of data, it's widely understood that it's
important to have plans in place for the possibility or eventuality of a serious data breach.
We spoke with Osama El-Hilali from ArcServe, who offers his thoughts on proper continuity
and disaster recovery preparation.
Well, quite often what we see is that organizations will either not protect all of their data
or may come into an approach where they think the data is protected.
Quite often the situation is that they have a third party, you know,
or they're putting the data in the cloud and they're assuming that because the data is in the cloud, it's somehow backed up and protected and there's multiple copies of it.
And quite often it's the inability to distinguish between what is critical and what is not so critical.
so critical. Obviously, if you have files that are relating to contracts or things that the frequency of accessibility is long, you know, it gets pulled once every seven years
or once every two years, it's not like an application that has your email and your communication
systems on them. So that qualification sometimes creates a problem for those organizations.
What about the notion of people rehearsing their plans? Is that something where people
don't often take it to the degree that they need to?
Yeah, that's a very, very good question, actually. Quite often, you know, people are backing
up based on a policy that they have established.
And the person who established the policy may have had a notion of how they want to recover the data,
but they may leave and the policy continues to execute on a regular basis.
And then when a disaster happens or a need to recover some data happens,
those assumptions that were made are no longer there.
So it is very, very important to kind of do the testing, multiple types of testing.
For example, if I need a file or I need an email, you know, a granular restore of a mailbox or a certain email,
what is the process that I follow? And quite often we find that in that the more sophisticated users
not only have a plan that they rehearse on a regular basis, but that plan is detailed
to the point where it says, you know, here's the names, here's the passwords, here's how
you access these systems, here's how these systems are protected so that under most foreseeable circumstances,
not only the task can be accomplished and the data can be restored,
but also if something unexpected happens,
that can be remitted immediately and the process continues.
Now, you all recently conducted a survey. You surveyed over 600 of your channel partners and other IT decision
makers, and you gathered some interesting data here. What can you share with us?
Yeah, so the survey indicated that half of the people who were surveyed do not have a
disaster plan in place, and those who do have a disaster plan in place, they don't regularly test it.
I think it's the nature of human beings.
We become very, very complacent and the nature of data protection is such that
if I have an experience that I cannot imagine the impact of it,
but when you look at the numbers and you look at the potential loss of a business,
especially in situations where you have a retail organization
that has an application that accepts orders directly online from their customers.
If that's down, then every second of downtime translates immediately on lost revenue.
Those are the type of situations where a disaster recovery plan has to exist and quite frequent testing of that disaster recovery plan has to exist,
and quite frequent testing of that disaster recovery plan need to happen.
And the organization needs to know, needs to estimate the amount of loss
per second, per minute, per hour, per day, etc.
That's Osama El-Hilali from ARCSERV.
The other major nation-state threat in the news today is Russia's GRU,
coming in for naming, shaming, expulsion, and indictment in three Western countries.
The GRU is also known as Fancy Bear and GU,
although no one really calls them GU apart from Russian diplomats,
indulging some org chart misdirection during tendentious press conferences.
The Netherlands has kicked out four GRU personnel after linking them to an attempted cyber attack
on the Organization for the Prohibition for Chemical Weapons, that's the OPCW.
They're the international agency investigating the Novichok attacks in Salisbury, England.
They're the international agency investigating the Novichok attacks in Salisbury, England.
Australia and the UK accused the GRU, in some detail, of cyber attacks against the World Anti-Doping Agency, the WADA,
the U.S. Democratic Party, and others.
Canada, which hosts the World Anti-Doping Agency in Montreal,
joined in the condemnation, saying officially that it
assessed with high confidence
that the GRU was responsible for hacking WADA. It's worth noting that the attempts on WADA and
OPCW appear to have been intended attacks on data integrity, altering rather than stealing
or destroying information. And the U.S. Department of Justice today indicted seven GRU officers on charges related to the hacking of WADA and other organizations around the world.
The indicted officers were all charged with conspiracy to access computers without authorization, wire fraud, and money laundering for buying computer equipment with cryptocurrencies.
Five were charged with aggregated identity theft.
One was charged with wire fraud specifically for engaging in spear phishing.
But who knows?
Maybe they're just a bunch of sports nutrition enthusiasts.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, welcome back.
We wanted to touch today on conferences,
on trade shows, and how to head into them. If it's something new to you,
how to get the most out of it.
What can you share with us?
I think security conferences are one of the best ways
to get experience in this industry
and definitely one of the best ways
to learn from your peers.
I think a lot of people go into conferences nervous
and they're concerned about how will people accept me? Will I be able to like connect with people that are on my skill level? You know, am I going to be overwhelmed? And I think what it really comes down to is you've got to think about why people are there. Right. How did most people get into security? It's curiosity. Right. Everyone's at these conferences because they're curious. They want to learn. They want to meet new people. They want to find people who have better ideas. They want to incorporate those better ideas. They want to share their good ideas. And so I think when it comes down to security conferences, really the first thing is just going in there and being willing to accept conversation from other people. Right. Go in like you would going into a party. You know, go in there and say hi to people. Say hi to people who you don't know. Say hi to people you do know and just start talking to them about what you're working
on, what you can share, what are they working on.
And obviously, if it's, you know, one like DevCon or a Black Hat, you should already
go in knowing what talks you have to go to.
Right?
I think that's one of the mistakes people make sometimes is they wait until they actually
get at the conference and then they pull out the agenda and try to figure out what they
want to get into.
But unfortunately, if it's a conference where you have to sign up in advance,
you're going to end up missing a lot of the best talks. So it's always important. Look at the agenda
before you get there. When you walk in the door, make sure you start meeting the people you want
to meet because a lot of times it's your opportunity to meet, you know, like say your
hero, like somebody who wrote a security tool that you use every day and you want to talk to
them about it and ask them why they designed certain features certain ways.
And so I think it's one of those situations where you've really got to be appreciative of the time you're going to have.
Because let's be honest, we've all been at security conferences and we've all overdone it.
So you've got to make sure on the first day you hit what you want to hit because on the second day you might sleep in an extra hour or two.
Hey, maybe. I've been known to do that myself.
You know, I think you make an interesting point about introducing yourself to people and striking up conversations.
It's certainly been my experience that most people are eager to talk about their work.
You're really going to run into someone who either considers themselves too important to answer questions or to receive
compliments from someone who admires what they do. Yeah. I think a lot of people are nervous
to approach someone that they've followed their work before. But in my experience, I've never had
a negative reaction. And I've been doing this for 15 years, just going at people who've been in this
industry for 20 or 30 years and saying, hi, I'm blah. I love your work on blah.
Tell me about it.
Right.
And it's always well received.
And so I think, you know, in most cases, I'm sure there are times when it's not going to
work out that well.
But in most cases, I think if you put yourself out there and go in with a good attitude,
you're going to have a really good time and learn a lot.
I wonder, too, because I think sometimes I wonder if there's a mismatch because if you if you follow a lot of security folks
in places like Twitter there can be no shortage of snark there can be no shortage of people
kind of flexing their muscles and and demonstrating just exactly how smart they are but I think like
so many internet things you know what people when they're face to face it might be a little
bit different than when they're hiding or face, it might be a little bit different
than when they're hiding or they're safe behind the comfort of that keyboard. Yeah. And, you know,
I don't even like to think of it like that. I think I like to think of it in terms of they
forget it's a person on the other end of the line. Right. At Cisco, one of the things that
we're really big on is video conferencing. And I've got to tell you, the difference between
talking to someone over video and talking to someone on the phone is 100% sometimes.
There are some people that are too busy.
They're not thinking about it.
They're just shooting a reply across the internet.
And it may come across as incredibly snarky and offensive.
But then you call them and you walk them through your thought process and they're 180.
They understand where you're coming from.
They try to explain their position.
And then everyone goes away a little bit smarter. And so I think you're right. It can definitely come across
that way. But I think face to face is a much better way to ensure that doesn't happen and to
make sure that, you know, you just communicate everything. I mean, let's be honest, some people,
you know, one or two in our industry, they might have a little bit of an issue communicating
certain things. I think you put them face to face, you really start reducing
that and you can really start, you know, having people make friends and get along.
Yeah, that's good advice. Craig Williams, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.