CyberWire Daily - Developments in the Discord Papers, including notes on influencers and why they seek influence. Tax season scams. KillNet’s selling, but is anyone buying?
Episode Date: April 17, 2023The alleged Discord Papers leaker has been charged. We look at how the Papers spread online. A life lived online as a security risk. US tax season scams, at the 11th filing hour. Caleb Barlow from Cyl...ete on the layoffs in security that many thought would never happen. Maria Varmazis and Brandon Karpf share the launch of the new space podcast, T-Minus. And KillNet says it’s open for business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/73 Selected reading. Inside the furious week-long scramble to hunt down a massive Pentagon leak (CNN Politics) Massachusetts Air National Guard’s Intelligence Mission in the Spotlight (New York Times) Leaker of U.S. secret documents worked on military base, friend says (Washington Post) WSJ News Exclusive | Social-Media Account Overseen by Former Navy Noncommissioned Officer Helped Spread Secrets (Wall Street Journal). A Russian Disinformation Empire in Oak Harbor, Washington (Malcontent News) Pro-Russia propagandist unmasked as New Jersey tropical fish seller (The Telegraph) Suspect charged in case involving leaked classified military documents (Washington Post) Jack Teixeira, suspect in Pentagon leaks, charged under Espionage Act (the Guardian) Leak suspect appears in court as US spells out its case (AP NEWS) Airman in Pentagon intel leak charged (Military Times) Airman charged in Pentagon intel leak regretted joining the military (Military Times) He’s from a military family — and allegedly leaked U.S. secrets (Washington Post) Jack Teixeira's alleged Discord leaks show why the US should stop showering Top Secret clearances on 21-year-old keyboard warriors (Business Insider). The military loved Discord for Gen Z recruiting. Then the leaks began. (Washington Post) A new kind of leaker: Spilling state secrets to impress online buddies (Washington Post) Was the Gen-Z Pentagon leaker motivated by social media clout? (the Guardian) Microsoft president claims Russian intelligence is trying to "penetrate gaming communities" (GamesIndustry.biz) How Gamers Eclipsed Spies as an Intelligence Threat (Foreign Policy) Crafty PDF link is part of another tax-season malware campaign (Record) Tax season scams. (CyberWire) Ukraine at D+414: Discord Papers arrest, cyberespionage, and hacktivist DDoS. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The alleged Discord Papers leaker has been charged.
We look at how the papers spread online.
A life lived online as a security risk.
U.S. tax season scams at the 11th filing hour.
Kayla Barlow from Silete on the layoffs in security that many thought would never happen.
Maria Vermasas and Brandon Karf share the launch of the new space podcast, T-Minus.
And Killnet says it's open for business.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, April 17th, 2023.
The alleged Discord Papers leaker has been charged. Jack Teixeira appeared Friday in federal court in Boston
to face charges under the Espionage Act.
The AP reports that he's accused of two counts of unauthorized retention
and transmission of classified national defense information.
He did not enter a plea, but a federal magistrate judge ordered him jailed
until a detention hearing next week.
The motivation of the alleged leaker was, by all accounts, not ideological,
but simply a desire to show off in the disinhibited online world.
Mr. Teixeira was evidently a leader and influencer within his small discord circle,
and the Washington Post cites a friend of Mr. Teixeira's
who knew something of his online followers as explaining his alleged motive, stating,
as wanting to share and show off the secrets he knew to a small circle of online friends
who bonded over video games. Foreign policy has a reflective essay on the role social media have come to play in espionage.
The authors Jonathan Asconas, assistant professor of politics at the Catholic University of America,
and Rene Direstra, a technical research manager at the Stanford Internet Observatory,
describe the mindset of a leaker, stating,
described the mindset of a leaker, stating,
The likely motivations of the leaker are impossible to understand without digging into the deepest layers of Internet culture.
This leak is not a strange one-off,
but a harbinger of a future where secret statecraft meets an online world,
in which, for many people, the virtual is replacing the physical
as a source of companionship, camaraderie, and social clout.
This online world is fast replacing traditional espionage as a source of intelligence leaks,
a shift that has profound implications for the future of spycraft, especially counterintelligence.
Online relationships can combine both a much-sought intimacy and a sense of safety, of being at
least one layer away from the direct risks of personal contact. That sense of safety is,
of course, misplaced, but it comes very easily. And the transactional nature of online relationships,
which amount to a gift economy, also tempts people to share secrets better left unshared.
also tempts people to share secrets better left unshared.
As Skonis and Diresta write,
Internet communities operate as gift economies where one's status is largely determined
by the valuable content one brings to the community
– spicy memes, obscure videos, interesting links, or secrets.
Any organization considering insider risk
might take the picture the essay offers to heart.
Many of the online communities people find so engrossing, like those hosted by Discord itself, are formed of gamers.
And this hasn't gone unnoticed by military and intelligence services themselves.
The U.S. Department of Defense has sought to use Discord as a recruiting resource, for example, the Washington
Post reports, much as earlier recruiting campaigns had used television ads and high school visits
to connect with potential recruits. And hostile intelligence services haven't been a slow study
either. Games Industry quotes Microsoft President Brad Smith as commenting that the company's
researchers have observed Russian services spending more time and effort
to penetrate, compromise, and manipulate online gaming communities
for traditional espionage and influence operations.
The Discord papers apparently spread with the help of another online fantasist,
the self-styled Donbass девушка, a Donbass girl, who claimed to be from Luhansk.
In some persona, she gave her first name as Mila, but in fact, according to the Wall Street Journal,
is allegedly one Sarah Bills, a 37-year-old from Voorhees, New Jersey, a U.S. Navy veteran who now lives in the Pacific Northwest.
Donbass Dievushka has for some time blogged and podcast pro-Russian memes and topics.
The podcasts are said to have been delivered in an implausible Ensign Chekhov-style Russian accent.
She collected and reposted much of the stuff that was circulating in the Thug Shaker Central Discord channel.
Her motives appear to be the increasingly familiar desire for influence and place in the online social world.
So, fellow Americans, did you file your income tax returns two days ago on April 15th?
Haha, just kidding. That wasn't the deadline this year.
Tuesday, April 18th is the day
on which U.S. income tax returns are due this year,
the traditional April 15th deadline for filing,
falling as it did on a weekend,
and Emancipation Day's observance on Monday
pushed the filing deadline back an additional day.
Tax season is usually an occasion for a wide range of
fraud, combining, as it does, fear and greed, emotions that tend to cloud the judgment and
render people vulnerable to scams. This year, a number of such scams, however, have been targeted
at victims who normally have greater detachment than the harried and baffled taxpayers themselves.
Sophos researchers report that criminals on the eve of the U.S. tax filing deadline
are conducting spear phishing campaigns against tax professionals themselves.
Sophos writes,
Financial accountant firms and CPAs are in the crosshairs this tax season
as a threat actor is targeting that industry
with an attack that combines social engineering
with a novel exploit against Windows computers
to deliver malware called GooLoader.
GooLoader is an unusually evasive shellcode-based downloader
that can be used to infect compromised victims
with follow-on attacks.
The use of password-protected zip files
has been noticed for
over a month, so Curonix began publishing research into this particular threat as early as March
when they identified a campaign of hyper-targeted phishing emails they tracked as tactical octopus.
The bundling of the malicious phish hook in a password-protected zip file has proceeded in distinct stages.
After the criminals initiate contact, they induce an initial infection, a PowerShell
one-liner command that downloads the Visual Basic file. The next phase is VBS file execution,
which in turn enables PowerShell execution, at which point they've achieved access to the victim's system.
It's a clever campaign. Securonics says that attribution is ambiguous, but that circumstantial evidence points to a Russian threat actor. They say two of three IP addresses identified in the
attack were registered to Petersburg Internet Network Limited in the Russian Federation.
This could indicate Russian origins.
However, the possibility of false flag operations cannot be ruled out at this point.
According to Microsoft, in most cases, the scammers are installing the Remcos remote access
Trojan. Remcos, developed in 2016 and in malicious use since shortly after its introduction,
enables the attacker to gain administrative privileges in Windows systems. developed in 2016 and in malicious use since shortly after its introduction,
enables the attacker to gain administrative privileges in Windows systems.
Microsoft writes,
Successful delivery of a Remco's payload could provide an attacker the opportunity to take control of the target device to steal information
and or move laterally through the target network.
So spare a thought for your local tax professional.
They work under challenging circumstances,
and by that we mean a lot more than the challenges of reading all those sales slips you give them for professional expenses
and all those oddball handwritten notes for charitable contributions.
And to return to online activity in Russia's hybrid war, we close with a bit of
news about Killnet, the Russian hacktivist auxiliary. An advertisement on Killnet's
Telegram channel is offering gigabytes of NATO documents. The ones they show are training
PowerPoint presentations at the lowest classification. They want three Bitcoin for the
documents, which at yesterday's exchange rate is about $91,000. That's almost what a newly promoted
U.S. Air Force colonel makes in a year's base pay. Apparently, the leaks aren't selling at that price,
so Killnet has knocked down its ask and repackaged its merchandise. But caveat emptor, friend.
Think about it.
It's training.
PowerPoint.
Slides.
But as Killnet might say, hop to it, world.
Or not.
We'll pass.
Coming up after the break, Caleb Barlow from Cylit on the layoffs in security that many thought would never happen.
Maria Vermasas and Brandon Karp share the launch of the new space podcast, E-Minus.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to welcome to the show a couple of members of the CyberWire team,
or perhaps I should say the N2K Networks team.
Maria Vermatsis is our space correspondent,
and Brandon Karpf is the executive director of our new markets.
Maria, we have some exciting news to share here with our CyberWire listeners who are
familiar with you from being our space correspondent, but you're branching out on your own here now.
I am. I'm striking out into the final frontier.
Love it. Well, tell us about the show.
Yeah, I am now, I'm the new host of our new show called T-Minus,
the daily space podcast for space
professionals. Well, let's dig into some of the details here. I mean, why this show and why now?
Well, we are in what's often called the new space era. So if our listeners are familiar with all the
satellites going up into space, courtesy of folks like SpaceX, we've got so much going on in the
space industry, thousands of new satellites,
lots of development happening across commercial sectors and government sectors and the military,
lots of incredible developments happening and happening extremely quickly.
So we thought that it was time for us to help the professionals out there who are working in this field, whether they're private or public sector, and give them the daily news
that they need to stay on top of the very fast-changing developments in their world.
And that's exactly what we're doing with T-Minus.
And Brandon, can we speak to the launch of this podcast from the bigger picture,
where it fits into N2K Networks?
Yeah, sure.
So this has always really been the plan for our larger company,
which is to find these industries that
have a professionalized workforce, a set of people who work in the industry who, they're not lawyers,
they're cybersecurity lawyers, they're not CEOs, they're cybersecurity CEOs, and find that industry
that is characterized by having a workforce that needs to stay in the know and stay up to speed with a rapidly and
relentlessly changing information environment. And what we find in the space industry is it's
exactly that. It has a professionalized workforce. They have engineers, CEOs, policy people and
lawyers, accountants and marketing folks, all who are focused on this industry, which is,
as Maria said, the new space era.
And at the same time, you see tremendous investments, thousands of companies coming
online, a rapidly changing technology ecosystem that's really hard to stay on top of. And what
we're doing at N2K Networks is we're focusing on those industries characterized by those two
dynamics. And we're breaking it down just to make it easier to stay in the know and delivering you as that professional the information you need to know every single day
to stay on top of things and to continue to develop as a professional in that field.
So that's our focus at N2K Networks more broadly. And here we are doing this for the first new
industry since cyber, which is the space industry.
Maria, I know lots of our listeners are familiar with you from your appearances on our show,
also on Smashing Security in the cyber realm. Can you give us a little bit of information on your background when it comes to space? Mainly an enthusiast, to be honest with you.
I wanted to be an astronomer growing up, so I studied a lot of
the physics, the very basic physics for astronomy, went to engineering school. Some people know my
story. I did two years of that and then left after a while. But basically, cybersecurity has been my
focus for a good while. So I am pivoting into space, and I'm very upfront about that. I'm new,
and I'm learning about the space industry as I go, And I'm hoping to take listeners on that journey with me.
Now, I've been doing this for a couple of months now, actually more like half a year now come to think of it.
So I'm not completely green, but it's been an amazing journey of learning for me.
And I've got to say, folks in the space industry are extremely generous with what they are happy to share.
And that way, it actually reminds me of the cybersecurity industry.
People are really happy to share their expertise and they're like,
hey, you were interested in this? I'll teach you all about it.
Come on in and I'll show you the ropes.
So it's been fantastic.
And there's actually a lot of cybersecurity overlap in the space industry,
which has been awesome.
So that's been a kind of nice on-ramp for me as well.
Well, and Brandon, that was going to be my next question for you,
is can we expect to see some synergy between these two efforts? The cyber and space, as Maria says,
certainly a lot of crossover there. Most definitely. These are two very close industries.
When you think about the space architecture and the technology, everything is connected through
the radio frequency. Everything
has communication protocols. There's encryption considerations. You have the space segment,
the things in orbit that have security considerations, software and hardware.
You have the ground segment, the systems on the ground receiving communications and transmitting
communications that have security considerations.
And then you have the links segment in between the two, again, thinking about the whole host
of cybersecurity topics. So cybersecurity is definitely going to be a topic that we cover
regularly, especially considering where we come from as N2K Networks and born from CyberWire.
So that's definitely one of the core topics that we will cover regularly.
And then there will be more.
We'll be discussing satellite technology, launch services, human spaceflight,
military space, business and investing, and a lot more.
So we're covering the entire industry as well,
but it's a fascinating technical space.
Well, as an amateur lifetime space nerd myself, the entire industry as well. But it's a fascinating technical space.
Well, as an amateur lifetime space nerd myself,
I'm excited for the launch of this show.
It's called T-Minus.
Maria, where's the best place for folks to find it?
Any place where fine podcasts are purveyed.
So if you're a Spotify or Apple fan,
it's fine, we're there too.
So we're everywhere.
So just look for us, T-Minus Space Daily,
and you'll find us. All right. Maria Vermatsis is the host of T-minus, a new podcast from N2K Networks. And Brandon Karpf is executive director of new markets for N2K Networks.
Thanks so much, both of you for joining us. Thanks, Dave.
Thanks, Dave. And I'm pleased to be joined once again by Caleb Barlow.
He is the founder and CEO at Silete.
Caleb, it is great to have you back.
We are seeing something right now that I think many of us wondered if we would ever see in
cybersecurity, and that's broad layoffs.
Many of the big companies, well, I'd say companies big and small, are cutting back on staffing.
What's your perspective here?
Well, I mean, hey, folks, we're not all that special anymore.
We're in with everybody else.
And guess what? The economy is slowing down, and we're seeing security that special anymore. We're in with everybody else and guess what? The economy's
slowing down and we're seeing security professionals laid off really in mass numbers for the first time.
So let's talk a little bit about if this happens to you, and by the way, it can happen to anybody.
I mean, if you're in your career long enough, I've had to lay plenty of people off and I've
been laid off before. Let's first acknowledge the first first thing it sucks, but now that it's happened, let's muscle up and let's get through it.
And, you know, I think the first piece of advice here is try to spend a couple of days and only a
couple of days understanding why, you know, what is it that may be about you or about your job or
about what you were doing, put you in that target zone
just so it doesn't happen again. And you're probably not going to get that feedback from
your immediate manager because, well, they have to be very cautious about what they say once they
leave somebody off because obviously they're worried about legal repercussions. But reach
out to your peers, reach out to your colleagues.
Maybe there's some learning moments there either for you or in your job search for what types of jobs or functions you want to do or what types of companies you want to work for in the future.
Is it worth noting that sometimes, especially when you have big numbers like this,
there always isn't a rational why? Sometimes you just get caught up in the numbers?
a rational why. Sometimes you just get caught up in the numbers.
100%. And again, this can happen to anybody. And even when it's performance-related,
I'll tell you, some of the best people I have ever hired have had horrible performance at other companies. Sometimes it's just the right person cast in the wrong role. And that's okay.
The important thing is, can you acknowledge that?
Can you kind of learn from that and make sure you don't get in that situation again?
I see.
The other thing that's really key here is mental health matters.
And this is not going to be an easy journey.
It's going to be hard.
It's going to take a while.
And you've got to prioritize your mental health and what that means to you through the journey,
right?
It doesn't mean you spend 40 hours a week looking for a job.
You know, you've got to give a little bit of time to yourself in this and frankly,
leverage some of that downtime to recharge.
Otherwise, you're just not going to end up in a good place.
I think part of the surprise here is that for years now,
we've been saying there aren't enough people in cybersecurity.
We're never going to catch up.
And so I think it's a little bit of a punch to the gut
for a lot of folks to see that the people have been saying that
for all these years, no, layoffs can these years. No, layoffs can hit anybody.
Well, layoffs can hit anybody. I do think the positive way to look at this is the odds of you
finding a new job, finding potentially even a better job, are very high relative to other
careers or other pursuits. So, you know, this isn't really so much that the industry is taking
a hit, although the, you know the aggregate number of open jobs has dropped.
I think this is more of an issue of there are a lot of companies that were growth-oriented, that got over their skis.
And now, whether it's venture capital, private equity, or public companies, the expectation now is people are moving towards profitability.
And sometimes that means, hey, we've really overstaffed or we're overspending.
and sometimes that means, hey, we really overstaffed or we're overspending.
And to be blunt, there are also cases, particularly in the cybersecurity industry, where people have been spending lots of money on really dumb things
that don't necessarily move the needle and that heyday is over.
So that's the other aspect of this.
Now, I think one of the other big things to really recognize in this, and this is particularly true on LinkedIn, but you're going to see this in other job boards as well, is that these, just like we all heard about how particularly teenage girls were getting hit hard with kind of body shaming issues on Instagram and other social media sites during the pandemic, right? And this became
an issue for mental health. The same thing can happen when you're job seeking, you know, kind of
that job shaming, if you will, a lot of what you're going to see out there are kind of the bro shots
of people out at the, you know, the golf course with their buddies or, you know, or standing next
to, you know, some notable in the cybersecurity field or a government official
or whatever, you're also going to see what gets amplified on these sites is highly biased.
It's biased towards, remember, recruiters are looking for certain demographics,
marketers are looking to push certain demographics. So these things naturally get repeated and
amplified, right? So depending on where you fit in that, you may find, hey, I just don't seem to
get a whole lot of traction. It's not you. Recognize these sites are biased. That's okay.
I mean, that's just where you're going to have to operate. But you've got to be cognizant of it
enough because, again, if you look at your own value as how many shares you get or how many people are looking at what you post, that can get really depressing really quick.
And it's just not the case.
Yeah.
There's that old saying about be careful not to compare your own behind the scenes with someone else's highlights reel.
Exactly. Right. not to compare your own behind the scenes with someone else's highlights reel. Exactly, right? And, you know, I mean, to put a more pointed tip on this, right? We're an industry
that is desperately looking to bring more women into the cybersecurity field, and that's fantastic.
But what that means is that posts from, let's say, a technical female in the cybersecurity field are going to get
significantly amplified. You know, on the other hand of this, you know, unfortunately,
you know, we often look at people of Russian or Chinese descent as the enemy. So, you know,
you might be a U.S. citizen that just happens to have a Russian-sounding name, it's going to be really difficult to get that kind of amplification on these sites because it's security professionals
that are looking at it. Again, it sucks. It's unfortunate. It's bias. But be aware of it.
And there are lots of ways to kind of work around it and be knowledgeable of it and be cognizant of
it. Yeah. What are your recommendations then
here, given that this is our new reality? What do you think? Well, first of all, again,
mental health matters a lot. Recognize that a lot of job posts are bogus and excessively filtered.
So it isn't so much about getting out there and applying to a gazillion jobs as it is leveraging your network. Get on the phone,
talk to everybody you know, because they may find out about a job opening that you might be perfect
for a month down the road. You should be prioritizing talking to people versus posting
and applying on job sites. Not that you don't want to do those other things. The other thing is,
don't be afraid of doing some free work. You know, if you find about somebody starting a company or doing something,
and maybe you have a skill that can help them out, dive in a bit, you know, you've got the time.
Or for that matter, even send an unsolicited proposal to someone on how you think you could
improve what they're doing. Maybe you're a marketer and you've got an idea for a campaign
that'd be perfect for a company. Drop the CEO an email.
Prioritize person-to-person communications.
And I don't think you'll be laid off for long.
All right.
Well, good insights as always.
Caleb Barlow, thanks for joining us. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the
Grumpy Old Geeks podcast, where I contribute to a regular segment called The Dark Side with Dave.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. The Cyber Wire podcast is a
production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.