CyberWire Daily - PLA cyber espionage, and training WeChat censorship algorithms against the Chinese diaspora. Snake is back, and so is Charming Kitten. Election security. Recruiting money mules.
Episode Date: May 8, 2020Naikon has returned from four years in the shadows to snoop around the shores of the South China Sea. Tencent trains censorship algorithms on WeChat. Snake ransomware is back, making its way through t...he healthcare sector. Seeing Charming Kitten's pawprints in World Health Organization networks. Voting security during (or even after) a pandemic. Malek Ben Salem from Accenture on their Technology Vision report, our guest is Thomas Rid from Johns Hopkins University on his book, Active Measures. And unemployed workers are offered gigs as money mules. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_08.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Nacon has returned from four years in the shadows
to snoop around the shores of the South China Sea.
Tencent trained censorship algorithms on WeChat.
Snake ransomware is back, making its way through the healthcare sector.
Charming kittens paw prints are showing up in World Health Organization networks.
Voting security during or even after a pandemic.
Malek Ben Salem from Accenture Labs on their technology vision report.
My guest is Thomas Ridd from Johns Hopkins
University with his latest book,
Active Measures. And
unemployed workers are offered gigs
as money mules.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire
summary for Friday, May 8th, 2020.
Nacon, a threat group that's now generally associated with the Chinese government,
has resurfaced to affect targets in the Asia-Pacific region.
Kaspersky says the group appears to be Chinese-speaking, but that's on the cautious side.
Just about everybody else says, straight up, it's Beijing.
Or, more accurately, Kunming.
NACON had been detected in 2015 by Threat Connect and DGI,
who attributed it to a People's Liberation Army unit in the Chengdu military region,
specifically to a 2nd Technical Reconnaissance Bureau outfit with the military unit cover designator 78020.
with the military unit cover designator 78020. Unit 78020 is headquartered in Kunming and has responsibility for developing intelligence about Southeast Asia, with a special emphasis on nations
who claim territorial waters in the South China Sea. The threat actor had gone largely unseen
since its initial discovery, but checkpoint researchers now report observing it in a major campaign,
distributing a novel and hitherto unknown payload, ARIA body,
which combines remote code execution, data destruction, and data exfiltration capabilities.
The University of Toronto's Citizen Lab is warning of another ongoing Chinese campaign,
this one involving Tencent's use of its popular WeChat app
to monitor social media content exchanged within the Chinese diaspora.
Content moderation, essentially suppression of politically sensitive topics,
has long been practiced on WeChat.
What's new is the extension of surveillance to users outside of China proper.
Citizen Lab thinks the effort is designed to train censorship algorithms.
Snake, a ransomware strain Malware Hunter warned against back in January,
has been noted for the attention it pays to obfuscation,
as well as for its ability to reach into and encrypt files on all devices connected to a victim's network.
Dragos, which called the malware ECANS, reported its activity against industrial control systems.
ECANS is snake spelled backward to avoid confusion,
with other unrelated malware also called snake or some variation thereof
that was associated with the Turla threat actor
and whose researchers were probably the first to observe the strain.
Krebs on Security has over the last two days reported that Snake was implicated in an attack
against Germany-based Fresenius Group, Europe's largest private hospital network. Fresenius
declined to go into much detail about the incident, but a company spokesman told Krebs on
Security, quote, I can confirm that Fresenius IT Security detected a computer virus on company computers.
As a precautionary measure, in accordance with our security protocol drawn up for such cases,
steps have been taken to prevent further spread.
We have also informed the relative investigating authorities,
and while some functions within the company are currently limited, patient care continues.
Our IT experts are continuing to work on solving the problem as quickly as possible And while some functions within the company are currently limited, patient care continues.
Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.
End quote.
The campaign is unlikely to be an isolated attack on Fresenius.
While Fresenius is a big enterprise, the current snake outbreak seems to be a part of a larger effort
against healthcare organizations working to provide emergency care during the COVID-19 pandemic.
Data availability is of course immediately threatened by any ransomware attack, but Tripwire says that snake has apparently joined other ransomware families in stealing sensitive data, then threatening to publish it on victim-shaming sites.
then threatening to publish it on victim-shaming sites.
The World Health Organization expects to continue its struggles against cyberattacks and influence operations,
and there's more evidence, circumstantial but strong,
that Iran's charming kitten threat group has been responsible
for phishing attempts against the organization.
Bloomberg reports that the attackers posed as representatives
of a media organization, the BBC, or a think tank, the American Foreign Policy Council,
in emails that sought to induce the recipients to open malicious attachments
represented as either a coronavirus newsletter or a set of proposed interview questions.
Clear Sky Cybersecurity reviewed the emails for Bloomberg
and concluded that the domains featured in the emails
and the use of the link shortener Bitly were the tip-offs. The charming kitten operators
seemed to be interested, at least at first, in collecting email credentials from WHO employees.
WHO told Bloomberg that it had closed some systems in order to prevent hackers from gaining access
to them, recruited new employees for its computer security team, and enlisted the help of several security companies.
But the attacks are wearing, and a WHO spokesperson says that it will be difficult for the organization
to remain on high alert for much longer.
The Washington Post reports the pandemic has put a spoke in the wheels of training programs
that would teach election workers how to secure voting.
It's also raised the likelihood that more ballots in the U.S. and elsewhere
will have to be cast remotely, in all probability mostly by mail, but in some cases online.
Neither are easy to improvise at the 11th hour.
All electronic balloting presents problems that paper ballots don't.
Paper ballots aren't problem-free either, and the history of corrupt elections goes back to the
early 19th century at least, but they come with a different set of problems. A group of academic
and industry experts concerned with electronic voting have sent the U.S. Cybersecurity and
Infrastructure Security Agency, CISA, a letter expressing their appreciation for
CISA's work, but more importantly, stating concerns about CISA's advisories about election security.
The signatories see three basic problems. Voting online makes it more difficult to securely deliver
ballots. Online balloting is vulnerable to cyber attacks that could submit fraudulent ballots.
And surprisingly, administering the accepting part-time gigs.
in the U.S. and Canada who've lost their jobs during the COVID-19 emergency are being prospected with phishing emails that appear to offer gigs that would help tide them over through the crisis.
It's an unusually cruel scam coming as it does when the unemployment rates, in the U.S. at least,
are hitting post-World War II highs. An email arrives, often impersonating the Human Resources
Department of a well-known corporation like Wells Fargo,
with the offer of a part-time personal services job that would enable the recipient to earn much-needed money while working from home.
The recipient is asked to reply to the email for details.
The job, it eventually becomes clear, is work as a money mule for a criminal enterprise.
Those familiar with the ways in which intelligence services recruit, compromise, and run agents
will note that the criminals have learned from the spymasters.
They begin by habituating the recruits to performing small, innocent tasks, then escalate
to things that seem a bit sketchier, and finally have them running money for the gang.
By that time, the victim often feels they're too far gone,
too compromised to withdraw.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. My guest today is Thomas Ridd. He's professor of strategic studies at Johns
Hopkins University's School of Advanced International Studies. In a review of his 2013
book, Cyber War Will Not Take Place, the economist called Thomas
Ridd one of Britain's leading authorities on and skeptics about cyber warfare. His most recent book
is titled Active Measures, The Secret History of Disinformation and Political Warfare.
Yeah, so I was in 2016, early 2016, I had been tracking Moonlight Maze, this old late 1990s Russian espionage campaign in detail, down to the level of, you know, doing old malware analysis of old artifacts that I was able to dig up.
And when I was in the middle of this, the election interference started in June 2016.
And we saw this marrying of hacking and leaking as well as some deception forgery built in.
And I realized after watching this for a while and after reading up on
the background that I'm not equipped to understand the real, the dynamics that are going on here
because they don't have the historical background knowledge. So I decided to write a book about it.
And so looking throughout history, as you do in the book, who were the major players when it came to this?
Yeah, so the big players that I'm covering in the book is, it starts off with the early Checker, the predecessor organization to the KGB, headed by Felix Dzerzhinsky, the legendary founder of the Cheka.
But I also have several chapters on CIA operations in the 1950s
that really deploy some of the same tactics,
not quite as aggressive.
For example, there's no anti-Semitic disinformation
or racial disinformation coming from CIA.
But Stasi was amazing at this.
So, you know, I'm German, born myself, and I interviewed a few former Stasi disinformation officers too for the book, among other officers.
And it was just an amazing experience also on a personal level for me to talk to Stasi officers who spent their entire career running
disinformation operations.
Let's move into the digital age. In the 90s,
as the internet comes online and we find ourselves more and more
connected, how did these campaigns change and evolve
to take advantage of these new connected capabilities?
Well, obviously the rise of the Internet coincided with the fall of the Soviet Union.
So for most of the 1990s, late 1990s, you had this strange moment in history where the internet utopianism,
mostly coming from California, dominated.
So initially, leak sites like, for example, Cryptome,
and indeed Wikileaks in their early days,
were seen as a positive development only as a move towards transparency.
There was a lot of naivete and optimism built into this.
Same applies to the anonymous movement,
you know, the Guy Fawkes masks and all that.
But in fact, what happened is that a dream come true
for intelligence officers,
Eastern, you know, Cold War,
Eastern bloc intelligence officers.
This was the perfect situation.
You could now surface leaked information or forged information
in a way that didn't involve journalists,
but you could just simply upload it to some anonymous website and go from there.
And we see that emerging in late 2013, throughout 2014,
and then coming with force in 2015, especially in Ukraine.
How much do the cultures of individual nations inform the type of disinformation that they employ?
Yeah, that is a very perceptive question also.
I think what you see in the 1960s already, but getting stronger in the 70s and 80s, is that communism as an ideology in a way weakens people, even inside the intelligence establishment, you know, make jokes about communism. some of them are still ardent communists, but it becomes sort of this weird cynicism sets in
and people become,
there are two layers to the conversation,
what people say in private
and what people say at the workplace or in public.
And that cynicism, that double standard,
ultimately, I think,
made them, the Eastern Bloc,
better at disinformation
because they were trained at home to spot contradictions
and to tolerate contradictions and to play with contradictions.
And that's exactly what you need to do to run active measures.
You need to spot the contradictions of your adversary
and then play with them and exacerbate them.
Where do you suppose we find ourselves today in the U.S.
Where do you suppose we find ourselves today in the US in this era of fake news and so much polarization politically
where does that place us in terms of our susceptibility
to this sort of disinformation?
Yeah, I think we have become more vulnerable
and less vulnerable at the same time
more vulnerable because we're more polarized as a society today
than at any time that any of us can remember probably,
which certainly makes it easier to exploit that polarization.
But at the same time, of course, there are more eyeballs
on disinformation, on intrusion attempts,
better forensics than ever before.
So if I were a Russian planner at GRU or something,
I would be a little nervous because it's really hard
to deliver against the high expectations
that your own leadership, let alone the adversary,
may have based on our overstatement
and somewhat panicked reaction to what happened in 2016.
Our thanks to Thomas Ridd for joining us.
The book is titled Active Measures,
The Secret History of Disinformation and Political Warfare.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Malek Ben-Salem.
She is the America's cybersecurity R&D lead for Accenture.
Malek, it is always great to have you back.
The Accenture team recently published a tech vision survey,
and you pointed out some areas of that survey that are relevant to folks in security.
What sort of things do you have to share with us?
Yeah, last month we launched Accenture's Technology Vision. This is our
annual thought leadership report that identifies emerging technology trends. This year's report
is entitled, We, the Post-Digital People, Can Your Enterprise Survive the Tech Clash?
Can your enterprise survive the tech clash?
And it explores how in a world where digital is everywhere,
enterprises need to reimagine their fundamental technology approach to create new business value and, more importantly,
to align to customers' and employees' values.
They've identified, you know, five different trends, but the main theme
was that what we refer to in today's environment as a tech lash or a backlash against technology,
that's not the real story. In fact, people still love technology. They use it more than ever,
but rather it's a tech clash, a clash between business and technology models that are incongruous with people's needs and expectations.
And one of the trends that they identify is what they call this dilemma of smart things.
You know, companies are producing these smart devices.
You know, they're out there for a long time.
They keep getting updated.
The software and firmware gets updated over time.
And just that basically is a new reality of product ownership,
where the product is in this constant or forever beta state.
is in this constant or forever beta state.
The big takeaways from this trend are the need to design a product
for the entire journey of product ownership,
including the end of life cycle of that product.
And what they've highlighted
is some of the interesting examples
where Jibo home robot was discontinued last year.
And users, you know,
could talk to it.
They could say, hey, Jibo,
but it would no longer understand
or respond to any other voice commands.
Also, Google announced
that it would be shutting down
the Works with Nest program
in favor of the Works with Google Assistant solution.
And, you know, people just, you know, pushed back on that, which made Google announce that, you know, the existing Works with Nest connections would stay online.
But as companies designed for that, they got to be thinking about how this is relevant to security.
Not only will these old devices limit the business and its ability to deliver, you know, the greatest experience for users, they will begin to generate risk for the whole ecosystem.
Because it's aging technology, you know, it's rife with security vulnerabilities.
So building a strategy
for how to smoothly transition customers
from one generation of the product
to the next
will be a key component of customer retention,
but also of, you also of good security hygiene.
All right. Well, the name of the report is the Accenture Technology Vision for 2020.
Do check it out. Malek Bensalem, thanks for joining us.
My pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.