CyberWire Daily - Energetic Bear’s battlespace preparation. Selling voter and consumer personal data. GRU, Qods Force sanctioned. How they knew that Iran dunnit.
Episode Date: October 23, 2020Energetic Bear is back, and maybe getting ready to go berserk in a network near you, Mr. and Mrs. United States. Someone’s selling publicly available voter and consumer information on the dark web. ...Sanctions against the GRU for the Bundestag hack. The US sanctions Qods Force and associated organizations for disinformation efforts. Johannes Ullrich has tips for preventing burnout. Our Rick Howard speaks with author David Sanger about his new HBO documentary The Perfect Weapon. How Iran was caught in the emailed voter threat campaign. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/205 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Energetic Bear is back and maybe getting ready to go berserk in a network near you.
Someone's selling publicly available voter and consumer information on the dark web.
Sanctions against the GRU for the Bundestag hack.
The U.S. sanctions Quds Force and associated organizations for disinformation efforts.
Johannes Ulrich has tips for preventing burnout.
Our Rick Howard speaks with author David Sanger about his new HBO documentary, The Perfect Weapon,
and how Iran was caught in the emailed voter threat campaign.
I'm Dave Bittner with your Cyber Wire summary for Friday, October 23rd, 2020.
We have several updates today on what TASS would be authorized to call blatant Russophobia.
Several updates today on what TASS would be authorized to call blatant Russophobia.
Yesterday, the FBI and CISA issued an alert that pointed out Energetic Bear for intrusions into U.S. state, local territorial, and tribal government networks.
Energetic Bear, also doing business as Berserk Bear,
and unambiguously described as a Russian state-sponsored APT,
displayed some interest in aviation networks as well.
The bear, say the Bureau and the agency, is, quote,
obtaining user and administrator credentials to establish initial access,
enable lateral movement once inside the network,
and locate high-value assets in order to exfiltrate data, end quote.
One representative attack saw Energetic
Bear move across a victim network to access files related to sensitive network configurations and
passwords, standard operating procedures such as enrolling in multi-factor authentication,
IT instructions such as requesting password resets, vendors and purchasing information,
and printing access badges.
Nothing has actually been done with this stuff so far, apparently, at least as far as the FBI and CISA can tell, but it's not the sort of information one would like people who don't
have your best interests at heart to get their hands on.
The attacks have often been staged through Turkish IP addresses.
They've involved brute forcing of credentials, SQL
injection, and scanning for vulnerable Microsoft Exchange and Citrix services. As is now so often
the case, the attacks seem to exploit known vulnerabilities and therefore offer another
good reason, as if any more were required, to pay close and conscientious attention to patching.
were required to pay close and conscientious attention to patching.
This appears to be reconnaissance and battle space preparation.
No disruption so far, but the actor may be seeking access to obtain future disruption options to influence U.S. policies and actions
or to delegitimize SLTT government entities.
Why would the bears be interested in SLTTs?
Well, here's one reason. The SLTTs run
elections, not the feds. And who cares who wins the election anyway if you can retrospectively
cause people to mistrust the way the votes were counted? Why are they interested in aviation
targets? That's less clear, but some malicious aviation-themed sites have been established for
drive-by and water-holing attacks.
The alert recommends a number of defense-in-depth measures to monitor network health,
mitigate known vulnerabilities, and reduce the organization's attack surface by closing down unneeded services.
Much attention is being paid to security firm Trustwave's report
of finding large databases of voters and consumers for sale in the
Raid Forum's dark web market. It's worth noting that this activity is distinct from energetic
bears snuffling around in state, local, tribal, and territorial networks. Most of the records
pertain to Americans, but citizens of Canada, the United Kingdom, Ireland, and South Africa are also
heavily represented. The offerings look like direct marketing databases,
and the hoods selling them cheerfully acknowledge that much of the information on the block
is freely obtainable from legitimate open sources.
Much of the trade is conducted in Russian.
In the right hands, Trustwave says,
this voter and consumer information can easily be used for geo-targeting disinformation
campaigns over social media, email phishing, and text and phone scams, end quote. Criminal,
political, or hacktivist, the tools remain the same. Some of the hoods posting to the forum are
a little skittish, suggesting that maybe people should hold off on using this sort of stuff until
after the first week in November, when the U.S. elections will be over,
and presumably the heat will be off, a little bit anyway.
Other participants remain indifferent,
with one asking if, since he's got U.S. voter databases,
he can get a cartoon of a red bear drinking vodka
and use it as his avatar.
Ugh, it's always funny until someone gets arrested.
Or, if not arrested, at least sanctioned.
The EU and the UK have both levied sanctions against the GRU and two of its officers,
who were particularly mentioned in dispatches for having hacked Germany's Bundestag in 2015.
This is regarded as a win, ZDNet reports, for the German government,
which has been pushing its sisters in the EU to
take an official position on the Russian hacking. Dmitry Badin and Igor Kostyov are the two GRU
officers singled out for travel bans and asset freezes, Politico says. Mr. Badin is an operator
who's been indicted by both Germany and the United States for other capers. Mr. Kostyov is a bigger fish.
He's the first deputy head of the GRU,
and he also commands the 85th Main Center for Special Services,
also known as Military Unit 26165,
and doing business as, of course, Fancy Bear.
Other people have also been sanctioned,
perhaps in what might be called, but hasn't been,
blatant persophobia. The U.S. Treasury Department yesterday announced sanctions against five Iranian
organizations for their role in conducting disinformation operations aimed at the
credibility of U.S. elections. The five were the Islamic Revolutionary Guard Corps, IRGC, the IRGC Quds Force, the Bayan Rasana Gostar Institute, regarded as an IRGC front, and two media organizations, the Iranian Islamic Radio and Television Union and the International Union of Virtual Media, both, Treasury says, owned or controlled by the Quds Force.
Both, Treasury says, owned or controlled by the Quds Force.
It's being said dumb mistakes facilitated attribution of the spoofed Proud Boys email threats to Iran.
Carelessness in a video attached to many of the emails left traceable spore, Reuters reports.
Here's how they know it was possible, from the way the video was shot, to do some virtual shoulder surfing. Quote,
The video showed the hackers' computer screens as they typed in commands
and pretended to hack a voter registration system.
Investigators noticed snippets of revealing computer code,
including file paths, file names, and an IP address.
End quote.
The IP address, hosted by Netherlands-based Worldstream,
was traced to earlier Iranian attacks.
Cross-referencing this and other clues in the video with other sources of intelligence,
a U.S. official told Reuters on condition of anonymity, clearly indicated Iran.
So, straight up, the U.S. says,
It was Iran.
A spokesman for Iran's delegation to the U.N. to the UN dismissed the US accusations as malarkey.
Quote,
But the whole thing could have been avoided had the Iranian operators making the scare video not striven for so much verisimilitude.
I mean, we've all seen TV.
The way you depict hacking
is to have someone sitting at a keyboard,
hoodie optional, geeky affect required,
staring, typing vigorously for three seconds or so,
and then announcing,
I'm in.
You focus on the operator's face,
and you don't show the screen,
and yet somehow the screen is being projected
onto the operator's face.
If it works for Hollywood, it should work for Tehran, too.
There's a reason genres have rules, you know.
As it stands, Cudsforce is probably saying right about now,
quote,
get me rewrite and hire that Alan Smithy.
We've long admired his work.
And with that,
cut!
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io.
Hey, everybody.
Rick Howard here, the CyberWire's chief security officer and chief analyst.
I got the opportunity last week to interview David Sanger, the noted New York Times journalist, three-peat Pulitzer Prize winner, author, and now producer for an HBO documentary
about his most excellent book, The Perfect Weapon,
How the Cyber Arms Race Set the World Afire.
The documentary is currently streaming on HBO and HBO Max.
Here's a piece of that interview.
There's a scene in the documentary in which Sheldon Adelson, who's a big
Republican contributor, goes to Yeshiva University and is giving a talk one day about the Iranian
nuclear program. And he says, you know what we ought to do? We ought to take a nuclear bomb and
explode it in the Iranian desert and sort of glassify it and then send the Iranians
a note and say to them, this is what's going to happen to Tehran if you don't turn over your
nuclear program. Now, I teach national security stuff in a graduate course at the Kennedy School
at Harvard, and I would not call this the most subtle strategy that I've ever heard. But, you know, it's a strategy.
When I heard him say that on the documentary, I said,
oh, yeah, that's going to turn out well.
Yeah.
So it turns out that not only you were listening to him say it,
but who knew the Iranians get YouTube?
And they watched him say it.
Sheldon Adelson, Desert Sands.
Wait a minute.
This guy owns a casino, doesn't he?
He does.
He owns the Sands Casino.
And what do you know?
About three months later, his employees walked in and discovered their hard drives had been
wiped clean.
Now, the immediate response of Sands Casino was to get everybody to sign nondisclosure
agreements and just keep this whole embarrassing incident secret.
Fortunately, that failed.
And on the documentary, you will see hidden behind changed voices
and darkened shadows so you can't see their faces,
some of the employees of the Sands describing what it was like
to be on the receiving end of the employees of the Sands describing what it was like to be on the receiving end of the Iranian
hack. So we have Stuxnet, that's US and Israel. We have the Sony attacks, which is North Korea.
And we have Sands Casino, which is the Iranians. We can't get you out of here without talking about
the Russians. The Russians, yeah. And NotPetya.
They're busy.
Yeah.
Talk to us about NotPetya.
So NotPetya was probably the most damaging hack ever done in terms of monetary damage.
It was designed to attack Ukraine and bring it to a halt by going after an accounting system that all Ukrainian businesses are required to use by the tax authorities.
But I think it ran on like Windows XP.
And, you know, that's mostly what people in Ukraine were using.
And not all of those, again, I know you'll be shocked, not all of those were legal copies.
Devastating attack.
And the Russians have been using Ukraine as a testing ground.
I think you called it in the documentary their petri dish, right, to test how to do stuff.
And as they roll over to disrupting America, what are they doing against us?
What are they doing against us?
Well, against us, we saw it in the early attacks on the Pentagon,
which really are what resulted in the creation of Cyber Command,
and we take you through that a little bit in the documentary.
But they also went after the email systems at the White House,
the Joint Chiefs of Staff, the State Department.
They got into the State Department systems, in fact,
to the point that the State Department had to close down their systems at various points.
And all of these led the United States to do absolutely nothing in return.
And so if you're Vladimir Putin and you're thinking,
okay, if these guys aren't going to defend the White House system,
why would we possibly think that they would care about the Democratic National Committee?
And the answer is that Putin concluded they probably won't.
And, you know, what's really remarkable is Cyber Command came up into being.
They were focused on things like taking out ISIS, which was definitely a big issue in 2016.
And they really weren't looking internally at our election system.
And so this combination of hack and leak, of break into the DNC, of make this stuff public, of the Facebook ads, of the Influence campaign.
It's not like they had their radar off the way the U.S. military did in Pearl Harbor.
Rick, they hadn't even built the radar.
Now, we're doing better this year because they had built the radar.
But, of course, the Russians are trying some new and different techniques now.
So you published the book in 2018.
The documentary is coming out just over two years after.
Is there anything between the two that's kind of crystallized in your mind or fundamentally changed?
Well, we have updated this to reflect modern.
Actually, there's a big section on perception hacks,
which is what you do when you do ransomware in one or two places
to make it look like much more.
So we brought it sort of up to date.
You'll see people like Eric Rosenbach,
co-director of Harvard's Belfer Center,
but was the chief of staff to Ash Carter at the Pentagon
when he was Secretary of Defense, talking about the calculus that you make as you're under cyber attack
or as you're trying to think about what the U.S. can go do.
So the idea is to bring you in at a very human level to the kind of decisions that have to
be made when you're on the receiving end and when you're on the offensive end.
The full version of this interview
will be available very soon right here in this same feed.
The documentary is currently streaming on HBO and HBO Max,
and I highly recommend it.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And I'm pleased to be joined once again by Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you
back. I want to touch today on, well, I guess we're talking a little bit about alert fatigue,
some of the things that you and your team have been tracking here. What do you have to share
with us today? Yeah, this is really partially based on personal experience, but also a lot of
the reports we're getting in from readers at Internet Storm Center that send us logs and such.
A common theme here is that, hey, I'm being attacked all the time.
Here are my firewall logs.
What am I supposed to do about that?
And honestly, my answer is often nothing.
Don't worry.
First of all, if you're looking at your firewall logs, those are actually alerts that you usually don't have to worry about.
Because these are attacks that got blocked by your firewall.
That's why they ended up in the firewall logs.
So that's one part of it.
In other parts, what you're really looking for is sort of what's not showing up in your logs.
That's the hard part.
And often logs and systems that are presenting these logs,
it's a little bit also a problem with security tools already more distracting you from what's
actually happening on your network. So it's this flood of information that's always coming in,
that noise where you have to try to find the signal within it? You have to find the signal within it, and you really have to get a little bit
that more casual attitude to it.
It sounds a bit scary,
but the title of the post that I had was,
today nobody's going to attack you.
And that's probably right.
For most organizations today,
nobody's going to attack you.
All you're going to see is these attacks.
You're going to see they're not targeting you.
They're looking for systems that you're not running.
If you're running a web server, probably 90% of the attacks that you'll be seeing
will be targeting software that you're not using,
like some kind of home firewall admin interface,
something like WordPress and such.
So really, it's nothing for you to worry about.
The real skill here, I think, is to know what to ignore
and in some ways also to have a little bit of thick skin here
and not really get excited about every single attack that you're seeing.
Well, how do you find balance here?
I mean, how do you end up not having a false sense of security?
That's really, I think, where experience comes in.
And also it matters that you tune your tools.
Ideally, if you have a security dashboard, and I'm very much idealizing it here, it should be blank.
You shouldn't really see anything.
And whenever something pops up, that should be something new, that should be something special. And what you really want to do is more sort of approach it from that hunting
that's sometimes proposed these days, where instead of waiting for the log to come to you,
you're actually going out and looking for the attacker in your network. So basically take that other approach.
That I think usually works better.
You get more meaningful results that way.
And I think it's also for the overall sort of mental health of the analyst a little bit better to approach it that way.
Yeah, maybe not have so much anxiety, right?
Correct, not have so much anxiety.
And at the end of the day,
you're just done.
You're going home
and next day you'll try again
to find him.
All right.
Johannes Ulrich,
thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed,
like a rock.
Listen for us
on your Alexa smart speaker, too.
Don't forget this weekend
to check out Research Saturday
and my conversation
with Tom Mahler
from Ben-Gurion University
on a new technique
to prevent medical imaging
cyber threats.
That's Research Saturday.
Check it out.
The CyberWire podcast
is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building That's Research Saturday. Check it out. Harold Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.