CyberWire Daily - Investigation into ShadowBrokers focuses on former insiders. Threat analyst doxed. Trickbot and NotPetya updates. Sweden's big breach. DPRK hacks online gaming for revenue.
Episode Date: July 31, 2017In today's podcast we hear that US investigators are looking for a disgruntled former insider in the ShadowBrokers case. Operation #HackTheAnalyst claims to have doxed a threat intelligence an...alyst. Electrical utilities look to their defenses. Trickbot gets wormy. NotPetya continues to have material effect on its corporate victims' earnings. Sweden's government shaken by its data breach. ISIS loses brick-and-mortar presence; may be moving online. Ransomware's lethality to small businesses may be exaggerated. And how do you fund a nuclear program? Malek Ben Salem from Accenture Labs, on their work developing a global ID system for refugees. From Pyongyang, Texas Hold 'Em looks like a good bet. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. investigators are looking for a disgruntled former insider in the Shadow Brokers case.
Operation Hack the Analyst claims to have doxed a threat intelligence analyst.
Electrical utilities look to their defenses.
Trickbot gets wormy.
NotPetya continues to have material effect on its corporate victims' earnings.
Sweden's government is shaken by its data breach.
ISIS loses brick-and-mortar presence but may be moving online.
Ransomware's lethality to small businesses may be exaggerated.
And how do you fund a nuclear
program? From Pyongyang, Texas Hold'em looks like a good bet.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, July 31, 2017.
Speculation about the shadow brokers increasingly turns toward the possibility
that their source is a disgruntled alumnus or alumna of NSA.
CyberScoop says it's been talking with multiple people familiar with the matter
who say the investigation is focusing on former employees who had access and an axe to grind.
Two of their unnamed sources tell them, the publication says,
that the incident goes far beyond the Hal Martin case,
in which a contract worker at NSA allegedly removed a very large quantity of highly classified information.
An insider seems in many ways likely to be involved.
The possibility that the stolen information the brokers have been hawking
came from an NSA attack server left inadvertently exposed
was entertained soon
after the hacking group began dumping material last summer, but that has come to strike many
as less likely. Among the classified material leaked are found, for example, PowerPoint
presentations, not in most observers' view the sort of thing one would find on a staging server.
So, an insider feeding a state actor seems likely. At Black Hat last week,
the shadow brokers were given a pony award. The ponies always credit an individual or group for
a real or a dubious achievement. The credit line on the shadow broker's prize was the Russians.
Straight up, the Russians. Another apparent hack, this one on an individual legitimate security analyst, came to light earlier today.
A Mandiant analyst's personal accounts were seemingly breached,
with doxing carried out on Pacebin by a person or persons calling themselves the 31337 hackers.
The doxing was, they say, part of Operation Leak the Analyst.
They also claim to have breached Mandiant's system sometime in 2016,
but there are no documents posted so far that suggest this is anything beyond extravagant
boasting. Mandiant is a unit of FireEye, and FireEye says it's found no evidence that any
of its systems or networks were compromised. But of course, an investigation is in progress.
As far as declared motivation, the 31337 hackers say they've long resented legitimate security analysts
and have decided to target them as individuals.
The communiques that accompanied their pace bin doxing aren't quite written in shadow brokerese,
but there are some similarities.
One of the shadow brokers' linguistic stigmata is a mangled plural, as in their use of peoples.
There are signs of this in what the 31337 hackers have to say.
For example, this document describes some of the key events of the past two months related to cyber espionage.
Not quite as mannered and contrived as the shadow brokers.
Indeed, it's within the range of what one might see in an undergraduate's term paper. But still, Operation Leak the Analyst will bear watching. Researchers have offered
electrical utilities advice on how to discern early signs of cyber attacks similar to those
that have afflicted Ukraine. Dragos and others warn that the malware employed is readily adaptable
to grid targets anywhere. Such targets need not be older forms of power generation and distribution.
Wind farms, for example, are also susceptible to attack.
WannaCry and NotPetya owed some of their wildfire spread to their worm-like functionality.
Flashpoint researchers warn that the venerable banking malware TrickBot
— venerable in malware terms, it's been around for
more than a year, has adopted some similar techniques to enable its own dissemination.
It's now being found in a much wider geographical region. Some U.S. banks have seen incursions,
which is relatively new. The effects of NotPetya continue to be felt. At the end of last week,
pharmaceutical company Merck disclosed that
its manufacturing had been disrupted and has yet to fully recover. Merck warns that the attack can
be expected to have material effects on the company's performance. It can be expected that
more companies will warn over the coming month. Sweden's large government data breach has resulted
in two more departures from that country's cabinet.
The ministers responsible for home affairs and infrastructure have both left the government.
The breach involved Sweden's transportation agency.
It began in 2012, was detected in 2016, and is not expected to be fully remediated for
some months yet.
The cause of the data exposure is being put down to improper supervision of a
$100 million deal with IBM to handle driver's licensing and vehicle registration. The agency
failed, apparently, to control what data it handed over and how the data was controlled.
The Swedish prime minister called the breach of information a total breakdown, saying,
it is incredibly serious, it is a violation of the law and puts Sweden and its citizens in harm's saying, The head of their security service said,
This is very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.
Sweden's transportation agency handles data such as the weight capacities of roads and bridges,
potentially useful to an invader,
and the type, model, weight, operations and condition of government and bridges, potentially useful to an invader, and the type, model,
weight, operations, and condition of government and military vehicles, from which, among other
things, order of battle could be inferred. There was also much private information at risk,
including the names, photos, and home addresses of Air Force pilots, anyone in police registers,
people in witness relocation programs, and members of the Swedish Special Operations
Forces.
ISIS has lost most of its core territory.
Observers expect that the terrorist group will make some attempt to reconstitute its
claims to being a renewed caliphate through its online presence.
Small businesses can be hit hard by ransomware, but NextGov reports that the widely quoted statistic that 60% of the businesses so hit go under within six months is exaggerated.
The publication says it's working to run the stat to ground, but that it's symptomatic
of the shaky information that circulates in the cyber sector.
Finally, you may have heard that North Korea not only tested an ICBM at the end of last
week, but that it's got an
aggressive nuclear weapons program, too. How does Pyongyang finance that program? In significant
part through cybercrime. A particular favorite of DPRK hackers appears to be online poker.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to welcome back Malek Ben-Salem. She's the R&D manager for security at Accenture
Labs. Malek, welcome back. Today Today we wanted to talk about some interesting stuff that
you've all been up to at Accenture with global ID systems for refugees. Tell us about that.
Yeah, so Accenture announced last month at the ID2020 conference, and ID2020 is a global public
private partnership dedicated to solving the challenges of identity faced by a billion
of people around the world.
But at that ID2020 conference, Accenture announced a new global ID system for refugees that is
built on blockchain technology.
The choice for blockchain technology is obviously it's because it's distributed and therefore
available most of the time.
But it also has some capabilities that allow the data owner to have control over what records
get shared with whom.
And we know that refugees face significant problems because they lose their proof of
existence, their proof of identity in zones of war and crisis.
And so they need a way to establish that identity in order to get services such as education and
healthcare services provided by the UN or by other organizations. This new technology, this new global system should be able to help them establish their identity as they cross borders.
And so take me through from a practical point of view, how exactly does it work?
Let's say I'm a refugee, how are you going to establish an ID for me?
So you would sign up with your biometric data. It could be your fingerprint or your iris scan or some biometric
data to establish that identity. But also organizations that have access to your records,
let's say the school you went to, which has access to your diploma, would sign up to the same system and would share that data to verify that you have that
record, right? So the data would stay off blockchain, but the verification happens through the blockchain.
So is it a situation where through various types of data, the strength of the certainty of that ID gets improved over time?
Yes, as more additional pieces of information get gathered. But also, it's the scale as more people
get signed up to this tool, then it can be not just offered for refugees. At this point,
we're offering it for refugees, but it could be a way
of offering this to everybody, right? It's a way of having a digital identity where you keep all
of your records in one place and you don't lose them for any reason. We're seeing more instances
of this, for example, through the Swiss town that is known as the Crypto Valley of Switzerland,
has announced that it will provide all of its citizens with a digital identity on the Ethereum
blockchain by September 2017. So I think we're going to see more of this trend in the near future.
All right. Interesting stuff. Malek Ben Salem, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.