CyberWire Daily - IRGC domains taken down. A look at 2021’s threatscape. Russia says its didn’t do anything (others see Bears.) Forfeiture of Silk Road’s hitherto unaccounted for billion-plus dollars.
Episode Date: November 6, 2020The US Justice Department takes down twenty-seven domains being used by Iran’s Islamic Revolutionary Guard Corps. Booz Allen offers its take on the 2021 threatscape. Russia declares itself innocent ...of bad behavior in cyberspace, but many remain skeptical. Johannes Ullrich from SANS looks at Supply Chain Risks and Managed Service Providers. Our own Rick Howard speaks with Wired’s Andy Greenberg about the recent Sandworm indictments. Silk Road’s mission billion dollars appear to have been found, and the US Government is working on a forfeiture action. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/216 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Justice Department takes down 27 domains being used by Iran's Islamic Revolutionary Guard Corps.
Booz Allen offers its take on the 2021 threatscape.
Russia declares itself innocent of bad behavior in cyberspace, but many remain skeptical.
Johannes Ulrich from SANS looks at supply chain risks and managed service providers.
Our own Rick Howard speaks with Wired's Andy Greenberg
about the recent Sandworm indictments.
Silk Road's mission billion dollars appear to have been found,
and the U.S. government is working on a forfeiture action.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 6, 2020.
The U.S. Department of Justice this week announced that it had taken down 27 domains
Iran's Islamic Revolutionary Guard Corps had used to distribute propaganda and disinformation.
Many of the domains represented themselves as belonging to legitimate news outlets,
but all were determined to be run by the IRGC and to be illegally seeking to exert a covert influence on public opinion in the U.S. and
elsewhere. The warrant cites violations of the International Emergency and Economic Powers Act
and the Iranian Transactions and Sanctions Regulations. The Justice Department's announcement
also notes that the IRGC's provisions of material support to Hezbollah, Hamas, and the Taliban
earned it a place on the Treasury Department's list of specially designated nationals.
That, too, exposes the group to U.S. legal action.
John C. Demers, Assistant Attorney General for National Security,
explained the rationale for the takedown as follows,
quote,
for the takedown is follows,
quote,
as long as Iran's leaders are trying to destabilize the world through the state sponsorship of terrorism
and the taking of hostages,
we will continue to enforce U.S. sanctions
and take other legal steps to counter them.
Booz Allen Hamilton has published its expectations
for the cyber threat landscape in the coming year.
They arranged their predictions on a novelistic armature,
the efforts of a fictional CEO Dakota Alexander of a fictional Fortune 500 company to deal with
a major cyber incident. The report opens much the way the Cyberspace Solarium Commission introduced
its report, with a fictional account of a Washington hellscape created by a massive
attack on the Internet of Things.
The resemblance is not accidental.
Both intros are by Peter Singer, political scientist turned novelist.
Booz Allen sees eight main trends in cyber threats.
We might group them into three categories.
The success-inspired, the pandemic-driven, and the technologically enabled.
The success-inspired trend will be marked by increased attention to and experimentation with
various extortion and ransomware criminal business models.
There are three pandemic-driven trends Booz Allen sees shaping the threat.
First, both criminals and nation-states will devote more attention to attacking the delivery and shipping sectors.
The increased importance of these businesses makes them high-value targets.
Second, COVID-19 tracing apps and their supporting ecosystem
present a new attack surface for criminals, spies, and even low-life trolls.
Third, healthcare's shift to a remote delivery model
is likely to be an enduring one,
and criminals can be expected to go after
telehealth systems and remote healthcare monitoring devices will become more attractive targets.
And finally, technological advance in cloud migration, artificial intelligence, and 5G
networks will also shape the way threat actors develop and service their targets.
The first trend is the likelihood that cloud-based development environments
will become a vector for supply chain attacks.
Second, as artificial intelligence becomes more pervasive across industries,
machine learning systems and methods will become high payoff targets.
Third, 5G networks will complicate the attack surface industrial control systems present
and give attackers a fresh advantage over defenders.
Finally, the general public availability of 5G will enable attackers to find and exploit
vulnerabilities in their victims' mobile devices. Each threat trend is accompanied by a set of
recommendations for managing the risk the trend presents. The report closes with three general
recommendations. Don't become distracted, be proactive to be resilient, and have an incident response retainer in place.
TASS is authorized to declare that, quote,
Russia keeps facing claims of its destructive behavior in cyberspace which are groundless, end quote.
And they have that straight from President Vladimir Putin.
He's particularly miffed at reports of attempts to meddle with foreign elections.
The rhetorical technique employed here is unlikely insistence.
There are continuing claims against us on our alleged hyperactivity in information space, meddling in elections and so on, which are absolutely unfounded, Mr. Putin said.
and elections and so on which are absolutely unfounded, Mr. Putin said, and he repeated his calls for more cooperation with the U.S. on approving a comprehensive program for practical
measures for resetting relations with Russia in using IT technologies. He also called for
a full-scale bilateral regular interdepartmental dialogue on key issues of maintaining international security at a high level.
Russia has indeed been quieter during recent elections in various countries than it was a few years ago,
but quieter doesn't mean totally silent.
Consider Reuters' recent Fancy Bear sighting and its account of GRU activities
against some U.S. Democratic Party email accounts.
And in any case, the bear's lower profile is at least as likely attributable
to their adversaries' deterrence by denial as it is to any putative Russian self-restraint.
Some of the targets, Reuters says, include the Democrat-aligned Center for American Progress
as well as the Indiana and California Democratic parties.
There's no particular evidence of notable success in these campaigns,
but then not all pawing gets the honey.
The Silk Road online contraband criminal market was taken down seven years ago,
its proprietor Ross Ulbricht now serving time in a U.S. federal prison.
But the Silk Road legal story has continued.
This week, the U.S. Justice Department filed a judicial forfeiture action
seeking control over more than a billion dollars in Bitcoin
squirreled away in a crypto wallet associated with Silk Road.
Someone, a hacker known only as Individual X,
succeeded in exfiltrating a lot of altcoin from Silk Road wallets,
and as the price of Bitcoin rose, so did Individual X's account.
The Internal Revenue Service noticed, Treasury took the Bitcoin,
and now Justice is filing for forfeiture to bring some closure to the affair.
So it appears, as Wired observes,
that Justice may finally have an answer to its billion-dollar question,
where did all the money go?
If anyone needs a refresher on Silk Road and its celebrity impresarios, have an answer to its billion-dollar question, where did all the money go?
If anyone needs a refresher on Silk Road and its celebrity impresarios, the online site Free Ross Ulbricht describes Mr. Ulbricht as an entrepreneur passionate about free markets
and privacy, which is one way of looking at it.
His hacker name, we recall, was the Dread Pirate Roberts, an homage to the Princess Bride.
The U.S. Justice Department's view of Mr. Ulbricht's career may be viewed at justice.gov,
and it's decidedly less rosy than the free-marketing privacy hawk Free Ross describes.
Silk Road trafficked a lot of drugs and made a great deal of money from it.
And finally, our long period of uncertainty over leadership,
over succession, and over the orderly transfer of authority seems finally to have reached a
satisfying denouement. Major League Baseball has approved John Angelos as the successor to his
father Peter as control person of the Baltimore Orioles. That is the executive responsible for the club as a whole.
So take heart, Baltimore.
Talk birdie to me.
It's November,
so let the hot stove leagues begin.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Following the recent U.S. indictments of several Russian nationals associated with the Sandworm adversary group, our own chief analyst Rick Howard reached out to Wired writer and author
of the book Sandworm, Andy Greenberg, for his take on these developments.
Andy Greenberg is a senior writer for Wired, responsible for security, privacy, and information
freedom, and author of the most excellent book, Sandworm,
A New Era of Cyberwar, and the Hunt for the Kremlin's Most Dangerous Hackers.
Welcome to the show, Andy.
Thank you, Rick.
I'm glad to be here.
Now, we asked you to join us today because just this past Monday, 19 October 2020, the
United States Department of Justice unsealed charges, including computer fraud and conspiracy, against six of the hackers who allegedly are part of the hacker crew behind the cyber operations you so clearly articulated in your book.
And we thought you might have some insight about what all this means.
So thank you for doing that, kind of giving us a guidebook for how to understand all this stuff.
Yeah, reading this indictment, to me, it's very gratifying.
In a way, it's a kind of closure
on years of tracking this group
that at times,
it felt like I was in a pretty small club
of security researchers
who even believed that this was one group
that was carrying out all of these attacks.
And now seeing six names and six faces being held accountable for this,
it's like a nice coda to the story.
All right, so let's talk about that.
Maybe not everybody has read your book yet.
And by the way, I highly recommend that they do.
But can you give us a thumbnail sketch of what the book was about?
And then we can talk about what the indictments mean.
of what the book was about, and then we can talk about what the indictments mean.
Sandworm is a group of Russian hackers that since late 2015 or so have carried out what I think is,
you know, you could say is the first full-blown cyber war. Starting in Ukraine, they attacked pretty much every part of Ukrainian society with these data-destructive attacks that
hit media and the private sector
and government agencies, and then ultimately the electric utilities, causing the first
ever blackouts triggered by cyber attacks.
Sandworm hit Ukraine's power grid not once but twice in late 2015, and then again in
late 2016.
And then finally, this Ukrainian cyber war that Sandworm was waging, essentially,
in the middle of 2017, kind of exploded out to the rest of the world with this cyber attack
called NotPetya, a piece of malware that, a worm, a self-propagating piece of fake ransomware that
was actually just a destructive attack that spread from Ukraine to the rest of the world and
took down a whole
bunch of multinational companies, medical record systems, and hospitals across the United States,
and ultimately cost $10 billion in global damages, the worst cyber attack in history,
by a good measure. So the story of Sandworm is kind of a detective story about the security researchers across the private sector.
I focus on a few different people who were kind of trying to track this group and figure out who
they are and try to warn the world that this Ukrainian cyber war was soon going to spill out
and hit us too. And then that is exactly what happened. And when that happens, the book kind of switches from a detective story to a disaster story. And I track
the effects of NatPetya across the world as it kind of causes this wave of devastation.
So why the indictments now?
I can't say that I have a definitive answer. I mean, I've asked Justice Department officials
if this is about the election, and they say no, that this is just how long it takes to really get the evidence of who was at the keyboard doing what and have the basis for an indictment that will hold up in court, although it will probably never really go to trial. These guys will never actually see the inside of a courtroom. But it's hard to imagine
that there's not some sense of the election in the calculus here, because we know that the GRU,
another part of the GRU, at least APT28's fancy bear, Microsoft has already warned that they were
targeting hundreds of organizations over the last year, trying to breach them, and that many of them
were political consultancies
and political campaigns associated with the election, and that they were probably trying
to do a kind of hack and leak operation as they did in 2016. So it seems to me like, I mean,
maybe it wasn't even intended to, but I kind of guessed that it was, that this indictment sends
a message to the GRU that cut it out. Like if you were going to do something for this election,
just remember, we are going to catch you.
We're going to hold you responsible,
just as we did for these older attacks.
I know there's all that calculus
and it's easy for armchair cyber warriors like you and me
to take potshots at it.
But is there anything you could say about that?
Is there, you could see reasons why governments would be reluctant to call out the russians on this
well i think you're right like it's um i am an armchair cyber warrior at best and um and you
know i i know that this stuff is is hard and i really you know the as i was saying like the
criminal indictment is a remarkable
document. And I'm amazed at the amount of work that clearly went into it. But I do think that
like we have to hold our public officials accountable and we have to hold them accountable
to holding Russia accountable. It doesn't seem that hard to me to put together the forensic
evidence that I could see that these attacks were carried out by Russia and make a public statement about
that. I often use this Lord of the Rings analogy. This ring is so powerful that everybody wants it
for themselves and nobody wants to do the hard work of carrying it to Mount Doom and destroying it.
it to Mount Doom and destroying it.
Oh, man, that is the best analogy I have ever heard.
We've definitely seen the escalation of this idea of continuous low-level cyber conflict in the early part of the decade.
You know, it was minor annoyances, but the NotPetya and everything else after seems to
be more significant.
So, Andy Greenberg, thank you for being on the show.
Everybody go read his book. It's fantastic.
Thanks for taking the time with us.
Thank you, Rick. This was a fun conversation.
Our own Rick Howard speaking with Sandworm author Andy Greenberg.
You can hear more of this interview on our website.
It's part of CyberWire Pro.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
You and your team have been looking at supply chain risks,
specifically when it comes to managed service providers.
What sort of information do you have for us today?
Yeah, this was pretty prompted by an event recently where one large managed service provider,
Tyler Technology, was breached.
And we had some of their customers contact us because they found remote access tools
installed on some of their systems.
And of course, the big question then was, are these tools that Tyler Technologies legitimately installed
or due to the breach, passwords and so very leaked?
Is this something that an attacker installed
after breaching Tyler Technologies
and retrieving these passwords from them?
So how do you explore something like this?
What path did you all go down?
Yeah, so of course, first you look at what tool is being used.
The tool that was installed here, that remote access tool, was by all means a commercial, legitimate tool.
And then, of course, it gets even more tricky.
This is something that a managed service provider would certainly install on your systems
because they do need that kind of access to your system.
They need to be able to remote install, remote monitor, and do all of these things to it.
So what it really comes down to is what I was calling is now who's watching the watchers here.
You have these companies that are managing your networks.
Often they also provide security functions for your network. There are various levels of service that you can purchase.
But you need some kind of controls around how they're doing that, what they're doing. So you should have some communication channel set up
where they will tell you, these are the kind of remote access tools we are going to install on your systems. In particular, if you're still retaining some security monitoring function,
you need to know that in order to understand that this new communication
you see in and out of your network is legitimate.
That's due to this particular tool that the vendor installed.
Yeah, I was going to say, I mean, it seems like really it's not unreasonable
to expect a high level of communication with these folks,
especially if they're going to have intimate access to your network.
Exactly. And that's really important that you also monitor them based on this.
You can't sort of totally relinquish control of your network.
You need to still retain sort of some kind of monitoring, some kind of access.
But you, like I said, watch the watchers.
You're checking up on them.
And this is not necessarily an adversarial thing that you're doing.
It's not that you don't trust them.
It's just that you need to know who else is in your network but that managed service provider.
Because an attacker managing your network, as we sometimes even call it, is probably acting very similar as this managed service provider.
And you need to be able to tell the two apart.
Well, in this particular case, how did things play out?
What did you discover in the end?
In the end, we discovered here that this was a legitimate install, apparently.
But this is actually still somewhat in progress.
I don't think we have a complete conclusion yet, in part because everything is still a little bit in flux here with this breach as well.
All right. Well, word to the wise for sure.
Johannes Ulrich, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
It's the breakfast of champions.
Listen for us on your Alexa smart speaker, too.
Don't miss this weekend's Research Saturday episode and my conversation with Craig Williams from Cisco Talos.
We're going to be discussing PoetRat, malware targeting the public and private sector in Azerbaijan.
That's Research Saturday. Check it out.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Guru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.