CyberWire Daily - Operation Soft Cell targets mobile networks. DC and Tehran trade barbs. Critical infrastructure concerns. Maryland’s Cyber Defense Initiative.
Episode Date: June 25, 2019Operation Soft Cell was low, slow, patient, and focused, and apparently run from China. Washington and Tehran are woofing at each other, with more exchanges in cyberspace expected. Cyber due diligence... is taken increasingly seriously during mergers and acquisitions. Short-sighted design choices affect app security. The US security clearance process gets an overhaul. Shimmers replace skimmers. And yesterday’s US Internet outage explained. Sergio Caltagirone from Dragos on the growing tensions between the US, Russia and Iran and how providers of critical infrastructure can prepare. Tamika Smith interviews Danielle Gaines, a reporter for Maryland Matters, on MD Gov. Hogan’s response to the Baltimore ransomware incident, the creation of the Maryland Cyber Defense Initiative. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Operation Soft Cell was low, slow, patient, and focused,
and apparently run from China.
Washington and Tehran are woofing at each other
with more exchanges in cyberspace expected.
Cyber due diligence is taken increasingly seriously
during mergers and acquisitions.
Short-sighted design choices affect app security.
The U.S. security clearance process gets an overhaul.
Shimmers replace skimmers.
Maryland's governor ups the state's cybersecurity game
in response to the Baltimore ransomware
event.
A look at the rising tensions between the U.S., Russia, and Iran when it comes to critical
infrastructure.
And we'll have an explanation for yesterday's U.S. internet outage.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 25, 2019.
CyberReason has released a report on a long-running, extensive but highly focused campaign, Operation SoftCell, that compromised mobile networks.
It appears to be the work of Chinese intelligence services, specifically APT-10,
also known as Stone Panda. It's either APT-10 or someone operating just like them, as the register
puts it, to express the attribution with proper caution. The soft sellers have spent the last two
years and a few months lurking in some 10 mobile networks worldwide. They were quiet,
patient, and focused, interested for the most part, it seems, in watching the movement and
other activity of what the researchers characterized as 20 to 30 high-value targets,
persons of interest to espionage services like politicians and diplomats. There's no particular
evidence that Operation Soft Cell pulled content from their
targets' messages, but the metadata alone were valuable, since such collection can yield the
victim's place of work, travel, and abode, as well as whom they talked to, how long they talked,
and so on. The operation avoided detection by going quiet for extended periods of time.
It was, as they say, low and slow.
They also installed their own VPNs in the networks they infested,
which made their job easier.
Those installations seem, in general, to have escaped notice.
Two members of APT10 were indicted by the U.S. Justice Department
back in December on charges related to espionage,
specifically with theft of intellectual property from U.S. corporations. They are, of course, not in custody, nor are they likely to be.
The indictment was part of the general U.S. naming and shaming approach to Chinese cyber misbehavior.
Washington and Tehran barked some more yesterday, but they didn't bite,
at least not at each other, at least not yet, and at least not publicly.
The U.S. did, as promised over the weekend, announce new sanctions against Iran,
with President Trump warning Iran not to overestimate American patience or restraint,
as both of these have limits.
For its part, Iran pointed out that it could knock down an American drone anytime it decided to do so,
and that, quote, the enemy knows it, end quote.
New sanctions directly affect senior Iranian leaders,
and Tehran remarked that they were outrageous and stupid.
The New York Times, which has been looking at Iranian Twitter feeds and other sources,
thinks that both regime hardliners and their opponents
think the whole sanctions shtick has been done to death,
and that it's unlikely that the latest round will change much. Their reported reaction suggests that
the Americans are more or less making the economic version of a rubble jump. As one Iranian WAG
tweeted, quote, the only people left to sanction are me, my dad, and our neighbor's kid, end quote.
More seriously, observers tell the Washington Post that an
Iranian cyber campaign, if one continues to develop, will probably resemble Tehran's earlier
work, opportunistic and destructive. Know-before warns everyone to expect heightened rates of
phishing. As Baltimore continues its recovery from the recent ransomware infestation it suffered,
Maryland's governor is focusing his attention on better protecting the old-line state.
The Cyber Wire's Tamika Smith has the story.
Maryland joined a list of states across the country to hire a statewide chief information security officer.
Governor Larry Hogan created this position along with the Maryland Cyber Defense Initiative.
This new push comes after Baltimore City was hit by a ransomware attack in May, making it the second time the city was targeted.
Here to talk more about this new position and the panel is Danielle Gaines.
She's a reporter for Maryland Matters.
It's an independent not-for-profit news organization that covers government and politics across the state.
Hi, Danielle.
Hi. Thank you for having me.
Thanks for joining us.
So let's get right to it.
Maryland is joining Arkansas, Massachusetts, Ohio, and Washington in creating this CISO position.
What is it exactly expected to do?
So this is going to be a new statewide chief information security officer,
a similar position with kind of less authority statewide had already existed within the state's
Department of Information Technology. So that position is being expanded and that individual
is going to lead something new called the Maryland Office of Security Management. And that office is going to create
some uniform standards for how each state agency classifies the personal information that they
accept from the public and then how they protect that personal information. That office is also
going to create some centralized policies to help the state respond more swiftly if there is a cyber
attack incursion in state systems. So this new individual, this CISO, his name is John Evans,
and he served as a chief information officer for the Department of Information Technology,
and he'll be taking on this expanded role. What do we know about him? So as you said,
John had worked for the Department of Information Technology.
And this new role is basically an expansion on that.
So he'll be working with a lot more state agencies and kind of trying to get them all on the same page.
He's been in Maryland for a little while.
He teaches cybersecurity at University of Maryland, University College.
He is on other positions in the state, including the Maryland
Cybersecurity Council. He helped create a data center for the state that was called MD-SYNC,
and that basically combined data for a number of social services organizations in the state to help
kind of streamline and create efficiencies within those. So Mr. Evans has definitely been on the front lines of this. Yes, he has. And there was some reporting that at the last meeting of the
Maryland Cybersecurity Council, one of the things, so that's a different group that's not impacted
at all by us executive order. It has existed since 2015. It has a bit of a different focus,
which is protecting the state's critical infrastructure. If there was some sort of breach of, you know, the electric system or the water system statewide.
And so he's been a part of that council and he was talking to that council recently about how to kind of integrate state and local responses to cybersecurity threats.
The governor also created the Maryland Cyber Defense Initiative. What does that include?
The governor also created the Maryland Cyber Defense Initiative. What does that include?
So the Maryland Cyber Defense Initiative includes the position, as you stated, and then that Office of Security Management.
It also creates a 10-member panel called the Maryland Cyber Security Coordinating Council. That council is going to consist of high-level government officials that will provide guidance on kind of broad statewide policy as it pertains
to cybersecurity. Some members of that panel include the secretaries of the Department of
Budget Management, the Secretary of Transportation, the Superintendent of Maryland State Police,
the Director of the Maryland Emergency Management Association, and that group is going to consult
with outside experts as well to give kind of these broader overarching
direction to state cybersecurity efforts. So while I have you here, Danielle, let's look at
Baltimore City. How are they doing after the ransomware attack back in early May? The city of
Baltimore is almost completely back online, not entirely. As you know, Mayor Jack Young had refused
to pay a 13 Bitcoin ransom as part of that ransomware attack.
City services were completely halted for some time.
They had to create some workarounds for real estate transactions to allow people to register as candidates for the next city election.
And, you know, they're still doing some workarounds for water bills and other things.
But they hope to be back online entirely in the next few weeks.
A lot to be done in Baltimore and definitely a lot on the front of cybersecurity across the country.
Thank you so much, Danielle, for joining the program.
Thank you for having me.
Danielle Gaines is a reporter for Maryland Matters.
It's an independent, not-for-profit news organization that covers government and politics across the state.
You can follow her at Danielle E. Gaines on Twitter.
And Tamika Smith joins me in studio.
Tamika, where do things stand in terms of other states adopting programs like this proactively?
That's a really good question, Dave. When you look at the CISO position, this position
isn't quite new, but what is new is having a statewide position with a statute attached to it.
So Maryland, in this regard, is joining about 15 states across the country, including Colorado,
Delaware, Florida, Illinois. These are states that actually have statutes attached to
this specific position. Is there a template that states are using when they're establishing the
CISO position? In general, when you're looking at this position across the country, there are few
things that the state wants to make sure is actually happening. They're creating statewide security policies
and IT standards, requiring information security plans and annual assessments or reporting,
and also requiring that periodically security awareness training is provided for their
employees. Tamika Smith, thanks so much. Thank you.
Forescout has released the results of a survey that outlines how cybersecurity figures in merger and acquisition do diligence.
Slightly over half of the respondents say that they encountered a cybersecurity issue during due diligence that put the deal in jeopardy.
Positive Technologies looks at mobile device security and finds that a prospective data thief rarely needs physical access to a phone in order to pull information from it.
The root problem, the researchers find, lies in insecure data storage,
and the problems with such storage all too often derives from the earliest stages of app development,
where design decisions are made without fully thinking through their security implications.
The U.S. Department of Defense has recently assumed a leading role
in managing security clearances across the government, and it's changing some branding
to signal a fresh start. The Defense Security Service will henceforth be known as the Defense
Counterintelligence and Security Agency. By October 1st, the agency will have absorbed
the National Background Investigations Bureau.
Flashpoint sees a shift in the card-skimming underworld.
Skimmers are on their way out, being replaced by skinnier devices known as shimmers,
designed to be slipped into the card reader itself,
with the data captured being eventually retrieved by the swipe of a criminal's card.
And finally, Cloudflare traces yesterday's U.S. Internet outages to a cascading catastrophic failure
that began with Verizon's incautious acceptance
of a BGP goof from a small Pennsylvania ISP.
So it was a fumble and not an attack.
And evidently, all fixed now.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives
are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
at blackcloak.io.
And joining me is Sergio Caltagirone.
He's the head of threat intelligence at Dragos.
So I want to start off here.
We're going to be talking about these increased tensions between the U.S., Russia, and Iran.
And I want to start off just by getting your overall
sort of high-level take on this,
both how you would describe what's going on and your overall sort of high level take on this of both, how you would
describe what's going on and your overall reaction to it? So I think that there's three elements here
that are in play. The first is, of course, the US and Russian interactions and escalation that's
been occurring. And then the second is, of course, the U.S. and the Iranian situation in the Middle East.
So I think together they pose a very unique situation where at this moment in time, the U.S. is potentially facing two fronts of major cyber escalation.
And these these two fronts may themselves be allies of course yes so the Russians and Iranians
are allied in certain areas of common interest militarily I think that the the
ally ship has been maybe a bit less pronounced and and fairly weak but of
course in any time of conflict, that can change radically.
I want to focus on this blog post that you all put up recently. This is titled, Five Things ICS Operators and Critical Infrastructure Must Do in the Face of Cyber
Escalation. Let's go through this together. The first step that you list here is take the threat
seriously. Yeah. So the fact is that there are retaliatory options available to all of the
countries involved. And of course, as rhetoric and as actions increase the escalation of tensions,
then of course, countries can act and react in a very short period of time. The challenge is,
of course, that no country wants to deploy, you know, military or kinetic force causing a loss of life. And so cyber is a potential means of using asymmetric force and warfare to
cause impact and retaliate without necessarily losing life. So all in all, this seems to be,
you know, a very serious situation where people will and, you know, we will see and we have seen,
of course, a little bit now, some amount of force being used across cyberspace.
The second point you list here is think beyond borders.
So that's really important. And that's one that I think most cyber defenders have a challenge with.
It's our job as threat intelligence analysts to understand the world at large and how that
interplays with cybersecurity. And of course, the key element here is that countries almost never engage in force unilaterally.
And so you will likely see offensive operations conducted in conjunction with or in cooperation
with multiple countries. So we can't just worry about what does Iran do or what's Iran going to
do, but what could Iran do and potentially other allies do um and the same
with the us right what could the us do as well as u.s allies do um in retaliation so we have to keep
the idea of conflict broader than one country versus another and then the next one is increased
visibility and threat detection yeah this is the one that we hit the most right when we walk into
we do a um a threat response almost every week at Dragos
inside of industrial control networks. And the biggest thing we get is when we walk in,
we find that there's very limited, if any, telemetry being collected. That's, of course,
cybersecurity telemetry being collected inside of these environments. So when something happens,
understanding what occurred and what might happen next is very hard.
And so what we try to ask folks to do is that's where you have to start, which is see what you can see, gather what you can gather.
And most importantly, in a time of escalation like this, you know, go ahead and ramp that up.
You know, you can always ramp down your collection later, but when it's important, you need to go ahead
and get more data.
And then last but not least here, you say engage in active threat hunting.
Yeah.
So threat hunting does two things, right?
One is hopefully you go and find stuff that you weren't seeing before.
But actually more importantly with threat hunting is that when you do engage a team
to conduct active threat hunting during a time of escalation, what it means is that when you do engage a team to conduct active threat hunting during a time of
escalation, what it means is that you're going to be even more prepared if and when they find
something or something happens. And so for any company, that's super important is that you'll
have a team there ready and they will have the tools and capabilities ready to roll. So a small
investment upfront to be prepared generally gives you tons of dividends later.
There's a lot of different ways you can attack
critical infrastructure in different areas.
And so for us, what we're seeing is a growth in that
as well as a growth in escalation.
And when you see both intent and capability
grow at the same time,
you thereby increase the risk environment.
All right, well, Sergio, thanks for joining us.
Oh, thanks for having me. I appreciate it.
That's Sergio Caltagirone from Dragos.
The blog is titled Five Things ICS Operators and Critical Infrastructure Must Do in the Face of Cyber Escalation.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.