CyberWire Daily - Damage at Natanz, maybe cyber-induced but maybe not. Official Huawei skepticism spreads. Big European dragnet. Hushpuppi in custody.
Episode Date: July 6, 2020An Iranian nuclear installation may have been hacked. Or maybe not, but in any case it was damaged. Huawei gets more skeptical looks. European police round up hundreds of online contraband dealers. Th...omas Etheridge from CrowdStrike on the increased need for speed, scale, and remote investigative and recovery services. Our guest is Tobias Whitney from Fortress Information Security on the Asset to Vendor Network (A2V). And an accused Nigerian money-launderer (and an admitted influencer) is now in US custody, facing Federal charges. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/129 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An Iranian nuclear installation may have been hacked, or maybe not,
but in any case, it was damaged.
Huawei gets more skeptical looks.
European police round up hundreds of online contraband dealers.
Thomas Etheridge from CrowdStrike on the increased need for speed, scale, and remote investigation and recovery services.
Our guest is Tobias Whitney from Fortress Information Security on the Asset-to-Vendor Network.
And an accused Nigerian money launderer is now in U.S. custody facing federal
charges. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, July 6, 2020. An explosion and fire at Iran's Natanz Uranium Processing Center last Thursday
is being widely attributed to a cyber attack by Iranian sources and others.
Tehran said that investigators had determined the cause of the attack
but were withholding details for security reasons.
Reuters says that some unnamed Iranian officials said it was either a U.S. or Israeli attack,
but while promising retaliation for any cyber attack against its nuclear facilities,
Iran stopped short of publicly blaming either the U.S. or Israel.
Breaking Defense cited Israeli cyber experts,
who were quick to call the incident a kinetic cyber attack,
but who also said it wasn't an Israeli operation.
Over the weekend, senior members of the Israeli government,
including Foreign Minister Ashkenazi and Defense Minister Gantz,
issued soft denials or non-denial denials,
the Jerusalem Post reports,
apparently intended to preserve strategic ambiguity.
Before the fire became public knowledge Thursday,
the BBC's Persian service said a self-proclaimed Iranian dissident group, the
Cheetahs of the Homeland, claimed responsibility for the sabotage. But as the AP points out,
there's some implausibility in the Cheetahs' self-presentation. The name, for one thing,
is an homage to a national soccer team,
and the messaging elements are oddly mixed. Could they be an actual dissident group?
Sure, there have been and continue to be Iranian dissidents. Could it be misdirection,
a false flag? That's equally possible. So, while satellite imagery and Iranian
statements confirm a destructive fire, beyond that it's unclear what happened.
It's worth noting that breaking defenses sources understand cyber attack expansively,
including possible remote disabling of security cameras to facilitate sabotage.
And of course, talk of a cyber attack could itself be misdirection.
Many of the observers talking to the press are calling this recent attack as coarse and inartistic when compared to Stuxnet. Accident or conventional
sabotage are at least as, and arguably more probable, as Forbes sensibly notes.
Many of the original accounts of a cyberattack are being sourced to outlets in Kuwait.
See, for example, the stories in Security
Week and Computing, both of which cite al-Jaridi. The story is a developing one. We'll be following
it closely. In the meantime, expect cyber tensions among Iran and its regional and global adversaries
to remain high. Official attitudes toward the security risks posed by Chinese manufacturers continue to harden.
Bloomberg reports that British Prime Minister Boris Johnson intends to direct that Huawei
equipment be phased out of the UK's 5G build-out over the coming year. The decision is based on
consequences drawn from increasingly comprehensive U.S. sanctions against the Chinese hardware
vendor, sanctions that effectively impede Huawei from using U.S. sanctions against the Chinese hardware vendor, sanctions that effectively impede
Huawei from using U.S.-developed technology. As Bloomberg sources summarize input from the
National Cybersecurity Center, the NCSC has, quote, concluded that new U.S. sanctions mean
Huawei will have to use untrusted technology, making security risks impossible to control, end quote.
In Australia, amid widespread concern over Chinese cyber espionage and influence operations,
outlined by CPO Magazine, Prime Minister Scott Morrison plans to significantly augment the
Australian Signals Directorate, the Australian Financial Review reports. According to IT News,
the Attorney General's Department
is moving toward requiring tighter accountability for cybersecurity of government agencies.
India has been concerned about both Chinese hardware and apps. One of the challenges the
country faces is deciding how to balance the desirable low-cost and acceptable quality of
Chinese products against the undesirable
connections between Chinese companies and Chinese security and intelligence services.
The Wall Street Journal also reports that TikTok, one of the companies India has banned in the wake
of recent border clashes, has categorically denied that Chinese authorities had ever asked
it for data on Indian users and that even if the authorities had done
so, TikTok would have refused to comply. Mercom India reports that the Ministry of Power, quote,
has issued a notice mandating all power supply system equipment, components, and parts imported
into the country must pass through a check for harmful embedded software. The policy is not explicitly directed against any country's products,
and the inspections are justified on the grounds of the centrality of India's power grid
to the national safety, security, and economy.
And France's cybersecurity agency, ANSSI, advised French 5G telcos to avoid Huawei.
The government doesn't plan to ban Huawei from 5G,
but Reuters reports that the French Cybersecurity Agency
is advising the nation's telecommunications companies to steer clear of Huawei,
especially if they haven't committed to using the Chinese manufacturer's equipment.
ANSSI director Guillaume Poupard told LASIK Co. that there would be no ban,
but that the government does want to limit the role the company would play in 5G infrastructure.
In May of 2019, President Trump signed an executive order on securing the Information
and Communications Technology and Services supply chain. NERC has published guidelines for compliance,
which include a deadline of October 1st of this year. Tobias Whitney is Vice President of Energy
Security Solutions at Fortress Information Security, who've launched an asset-to-vendor
network website to help power utilities track their progress as the deadline approaches.
their progress as the deadline approaches.
From my vantage point, the supply chain challenge has been becoming increasingly more difficult to mitigate and frankly, more recognizable throughout industry as it being a
real challenge. For the last 10 to 12 years or so, industry has been focusing on
developing and complying with a set of cybersecurity standards
that are applicable to electric power utilities. So large transmission owner operators, generation
owner operators, those that manage the grid ultimately are considered responsible for
complying to these set of rules, ultimately endorsed and
approved by the Federal Energy Regulatory Commission.
While they have been focusing on cybersecurity, which includes patch management and trying
to mitigate known vulnerabilities associated with systems on the grid, it was clear that
they couldn't do it themselves.
They needed to engage more of the vendor community and the supplier community
to really round out the cybersecurity effort.
So in the last couple years, I think about two and a half years ago,
FERC sent out a mandate, ultimately a request for a new addition to the cybersecurity standards,
and that was the supply chain standard, SIP 13,
and also SIP 13 also required some tweaks made to the existing cybersecurity standards,
SIP 2 through 11.
So those standards are SIP 7 and SIP 10 and SIP 5.
Can you give us some insights?
The folks who are on the ground who are dealing with this stuff every day,
who are responsible for the security of the electrical grid,
what is their sense right now?
Where do you suppose they feel as though we stand when it comes to the grid security?
I would say people that work at utilities and have boots on the ground,
and it's an industry I've been working very closely with for years,
and have boots on the ground, and it's an industry I've been working very closely with for years,
always have had a feeling of being prepared, of recognizing that whatever the emergency is,
whatever the circumstance may be, they've been trained and ultimately ready to respond to a grid-related incident or event or cyber exposure, what have you.
to a grid-related incident or event or cyber exposure, what have you.
Utilities are very good at identifying where there's an outage, responding to the outage, getting systems and operations recovered so that utility and electrical services can be
back up and running within a minimal amount of disruption.
And that's, frankly frankly been the culture of this
industry for quite some time. So many believe that, yes, even if we do have a cybersecurity
incident or threat, that through our training and activities and around preparing for cyber
and other types of outages and events, they feel relatively prepared. I think this
is something that can be managed. That's Tobias Whitney from Fortress Information Security.
There have been two major arrests involving cybercrime. First, the AP reports that police
in several European countries, notably Britain, France, and the Netherlands, cooperated in rolling up 746
suspects involved in trading contraband online. Together, they seized about $68 million in cash,
77 firearms, and more than two tons of drugs. Most of the suspects were collared in the UK,
but it was an international effort. Most interesting is the success the police had
monitoring criminal communications over the encrypted EncroChat application.
Motherboard reports that French authorities had penetrated the EncroChat network,
leveraged that access to install a technical tool
in what appears to be a mass hacking operation,
and had been quietly reading the users' communications for months.
Investigators then shared those messages with agencies around Europe.
And second, a major Nigerian Instagram influencer, Ramon Alarunwa Abbas,
better known online by his hacker name Ray Hushpuppy,
was arrested in Dubai and then extradited to the U.S.,
where he's now facing charges related to alleged conspiracy to,
as the U.S. Attorney for the Central District of California put it,
launder hundreds of millions of dollars from business email compromise frauds and other scams.
Mr. Hushpuppi's alleged victims include an American law firm,
a foreign bank, and an English Premier League football club.
That's football as in
soccer, Yankee. Anywho, Mr. Hushpuppi's self-presentation in social media has been
glorious, if that is. You remain untroubled by the deadly sin of avarice and the attendant
deadly sin of envy displays of avarice, provoking those less favored by the prince of this world.
blaze of adverse, provoke in those less favored by the prince of this world.
Our favorite is a photo CNN has of the influencer, thoughtfully reading Forbes Asia while comfortably ensconced in a blanket and pillows aboard a private aircraft, a bottle of Fiji water in hand
just to stay hydrated. The only false note is the Fiji water which our editor says the dollar store
across the street from him in Baltimore carries at a discount.
Maybe.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what
AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Cloak. Learn more at blackcloak.io. Consider San Pellegrino, if that's available in the Club Fed commissary. And joining me once again is Thomas Etheridge. He's the Senior Vice
President of Services at CrowdStrike. Thomas, it's always great to have you back.
I wanted to touch today on some of the things that you and your team are tracking in the wake of COVID-19.
Can you share with us what are some of the things that are top of mind for you?
Thanks, David. It's great to be back.
Some of the big things we're tracking really are around just the spike we're seeing
and malicious activity in the first half of 2020
versus what we saw about a year ago. So with companies moving workforces outside the office,
the attack surface has just expanded exponentially. A lot of organizations are slow to be able to get
tooling out to new infrastructure that they've provisioned to users that are now working remotely.
And the ability to be able to respond to breaches is becoming a challenge for organizations,
especially as the workforce becomes more dispersed.
Are you noticing anything in terms of the size of organizations?
In other words, has it been more challenging for a large organization to adjust here versus a small one, or is every case unique?
I think every case is unique.
Some organizations have the inventory of equipment and are able to leverage existing tools to provision and provide that capability for remote connectivity to an organization's infrastructure a lot more
gracefully than maybe smaller organizations.
We've certainly seen that in some of the state and local government organizations where moving
employees off-site has created some challenges in terms of some of the legacy tools and
infrastructure.
They're just not prepared for it.
Yeah, it's interesting.
I can imagine if you're an organization where someone came in and sat down every day to a desktop computer,
you might be in a different situation than somebody where everybody was provisioned with laptops
so they could just pick up and go home and not really skip a beat.
Exactly.
And the other factor here is cloud. So a lot of organizations
are pushing workloads to the cloud. It does provide that scalability and ease of connectivity,
kind of the work from anywhere model. And workload security creates additional sets of challenges. So
understanding the visibility and management of all of those
workloads in the cloud, it's become a challenge for organizations that haven't thought about that
over time. And what we're seeing is that security is a necessary requirement in order to make sure
that those organizations are able to continue to operate successfully, service their constituents
and customers. And it's really
become a big challenge for many organizations. You know, we're a couple months into this now.
Do you have any tips for organizations out there based on what you've seen and the companies who
have gotten it right? Any suggestions for making sure that you're up to speed in the state where we are today?
There's a couple of key things, I think. Number one is looking at endpoint protection capabilities
that are cloud native. So tools that don't require physical infrastructure are easily deployable,
both from a management and a protection perspective. That's kind of a key to the problem.
The other thing is patching. We've noticed a lot of organizations have not invested in
overall patching and keeping vulnerabilities snuffed out in their environment, especially
as organizations start to move to remote workforce. Patching becomes a little bit more of a challenge.
You have to wait for systems to be on the network in order for them to get patch updates and have those applied.
And additionally, the use of personal devices as well presents another problem for organizations
as they are allowing some of these personal devices to connect to the network. Knowing and
being able to manage the patch status of those environments is also a challenge.
All right.
Well, Thomas Etheridge, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.