CyberWire Daily - Pyongyang’s guide to hacking on behalf of rogue regimes. RATs in the supply chain? Data exposures and data breaches. Securing elections (and caucuses, too).
Episode Date: February 11, 2020Pyongyang establishes a template for pariah states trying to profit in cyberspace. The FBI warns that there’s a RAT in the ICS software supply chain. The US has a new counterintelligence strategy, a...nd cyber figures in it prominently. Likud’s exposure of Israeli voter data may benefit opposition intelligence services. Notes on the Equifax breach indictments. As New Hampshire votes in its primaries, CISA warns everyone not to get impatient. And Iowa? Still counting. Robert M. Lee from Dragos on their recent report, “Industrial Cyber Attacks: A Humanitarian Crisis in the Making.” Guest is Andrew Wajs from Scenera on the NICE Alliance and Cloud Privacy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Pyongyang establishes a template for pariah states trying to profit in cyberspace.
The FBI warns that there's a rat in the ICS software
supply chain. The U.S. has a new counterintelligence strategy and cyber figures in it prominently.
Likud's exposure of Israeli voter data may benefit opposition intelligence services.
You've got notes on the Equifax breach indictments. As New Hampshire votes in its primaries,
CISO warns everybody not to get impatient, and Iowa, they're still counting.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary
for Tuesday, February 11th, 2020.
Researchers at the intelligence firm Recorded Future describe how Pyongyang has adapted the internet into a tool for rogue regimes.
North Korea has grown adept at using cybercrime as a means of evading the international sanctions that have crippled its economy.
The country's hackers have become proficient, Recorded Future says, at three ways of generating revenue.
Internet-enabled bank theft, exploitation of the cryptocurrency sector as seen
in some of the Lazarus Group's recent activities, and finally, what the researchers call low-level
information technology work and financial crime. The regime has also succeeded in stealing
intellectual property useful in acquiring or enhancing its capabilities in prohibited technologies,
especially ballistic missiles and weapons of
mass destruction. The North Korean template can, Recorded Future suggests, be used by other pariah
states struggling under international sanctions. They specifically mention Venezuela, Iran, and
Syria. According to ZDNet, the U.S. FBI has circulated a private warning to industry,
cautioning companies that threat actors are working to infect software supply chains
with the QAMPIRS remote-access trojan.
This particular rat has been seen most often used against targets in the healthcare sector,
but the recent FBI warning suggests that QAMPIRS has been seen in use against industrial control systems.
The U.S. has released its National Counterintelligence Strategy.
The document lays out a case described in the Wall Street Journal
that the intelligence threats the U.S. faces have grown more diverse,
more complex, and more damaging,
especially as they merge traditional intelligence disciplines with cyber operations
and as they show an increased disposition to engage in economic espionage.
The team at security firm SINERA have been working to standardize security measures for
surveillance and IP cameras, and among their efforts include supporting the NICE Alliance.
NICE stands for Network of Intelligent Camera Ecosystem, and they've recently released details
of a framework for IP camera security. Andrew Waj is CTO and co-founder at Scenera.
There are a number of issues with intelligent cameras,
and obviously one of the most important is the issues of security and privacy
from both the developer perspective and for the end user or end customer.
But security and privacy was a very important part of how we approached the problem.
It was, in fact, the first thing we actually addressed in developing the standard.
Now, one of the things that you're doing here is sort of flipping the script
when it comes to where in the chain images are processed.
And that sort of has a cascading effect on things like privacy.
Can you give us an overview of what's going on there?
Yes. So with privacy, what we have done is we've enabled there to be fine-grained control.
First of all, what data gets generated.
So in configuration of the cameras, we can actually configure the camera such that only notifications get generated.
So things like faces or even the actual events themselves can be discarded by the camera.
And then also enabling the end user to determine which types of data gets generated and which applications can access that data.
and which applications can access that data.
So we actually enable some data to be accessible to some applications and other data to be accessible to other applications or not accessible at all.
Can you give us a real-world example of an application of that?
So let's say you have a camera in a location where you're monitoring for certain events.
And in particular, you don't want people's faces to be recorded,
but you do want to see if somebody enters an area
which they're not supposed to enter
or if there's a vehicle entering a location.
In that case, we can actually program the cameras
to simply send a notification saying that an event has occurred
and there's no upload of any video with any facial information.
And so I suppose the notion is that this plays well into the types of regulations
that we expect to see coming when it comes to privacy and maintaining data and so on.
Yes.
So, yeah, we have this notion of what we call zero image surveillance
where you can actually make sure that sensitive data is never distributed.
And I think there are a lot of applications
where this is going to be very important,
particularly with facial recognition.
And being able to avoid capturing faces
in certain applications is going to be really crucial,
not just from an end-user's privacy perspective,
but also from a regulatory perspective as well.
And how do you envision a broad deployment of this sort of thing?
Is this a framework that is going to be widely available?
Are you keeping some exclusivity to it?
Do you have partners lined up?
Yeah, we're working with typically large enterprises or carriers
who want to deploy cameras quite widely.
So, for example, in smart cities where you'd have a lot of cameras within the urban environment.
So we're typically working with enterprises and larger organizations who want to deploy
large numbers of cameras.
But we see this ultimately can go, you know,
from enterprise all the way through to consumers.
That's Andrew Waj from Sinera.
The Jerusalem Post reports that the data leaked from a voter database app
used by the Likud party may have compromised information
on Israeli intelligence officials.
They cite Haral Menasheri,
currently head of cyber at the Holon Institute of Technology,
and formerly one of the founders of Shinbet's cyber unit, as pointing out the potential
implications of the data exposure. Again, it's the fact of the exposure and not any evidence that a
foreign intelligence service has the data, but there's a non-negligible chance that they do.
So, in assessing risk, one takes into account the opposition's capabilities.
They might have the information, and it's best to plan on the assumption that they do.
And finally, the U.S. state of New Hampshire conducts its presidential primary today,
and CISA distributed an encouraging email that praised successful threat information sharing,
writing on behalf of the Election Infrastructure Government Coordinating Council
on ongoing efforts to protect 2020 elections,
the email reminded everyone not to get hasty or jump the gun.
The CISA email said,
And remember that election results published on election night are not official.
It may take days or weeks for official results to become available.
The accuracy of the vote total is much more important than the timeliness of releasing results.
They seem to be looking at you, Iowa, where the two leading candidates,
according to preliminary results, Senator Sanders and former Mayor Buttigieg,
have both requested a partial re-canvas.
A re-canvas, the AP explains, is not a recount.
Rather, it's a check of results against the paper records in the precincts
and would not involve checking the math, addition, basically, recorded on those paper records.
After a re-canvas is complete, then a candidate may ask for a recount
in which presumably math errors might be identified and corrected.
Democratic National Committee Chair Tom Perez has been critical of the Iowa Party's conduct of its caucus,
suggesting that the state's position as first stop in the nominating process would be re-evaluated, as it periodically is.
Iowa Party leader Troy Price has reminded Mr. Perez that it's up to the state party and not the DNC to decide whether to re-canvas.
Price told WHO-TV,
We've got a job to do, and that is to finish-canvas. Price told WHO TV, we've got a job to do and that is to finish up
this process. There is a time to assign blame, but I will tell you the DNC has been a partner
in this process up to and including caucus night. Part of the post-mortem will surely be a look at
how Shadow Incorporated's ill-starred Iowa Reporter app was developed and deployed.
Iowa Reporter app was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Cloak. Learn more at blackcloak.io. And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, it's always great to have you back. You all recently posted on your website
a really interesting article here. It's Industrial Cyber Attacks, a Humanitarian Crisis in the Making.
Industrial Cyberattacks, A Humanitarian Crisis in the Making.
Take us through, what are you laying out here for us?
Yeah, absolutely.
Look, I think when we look at security,
we can't do it in just kind of the technical view of the world.
It is important to understand where we fall in things like international humanitarian law
or law of armed conflict
or just kind of how countries around the world
are viewing these things,
especially in industrial security
where you're talking about electric grids
and oil refineries and manufacturing
and similar, like national infrastructure.
Long story short, we've been trying to support,
I don't think we can take a ton of credit.
So I just want to say we're supporting them,
like they're the ones doing all the work,
but we're supporting the Red Cross
as it thinks through some of
these challenges and where cyber attacks really fall.
And I think that one of the challenges for the Red Cross has always been that when we
talk about cyber attacks, it can mean anything.
And we'll call something a cyber attack when it's an exposed AWS container or phishing
email.
And so it's hard to deal with.
But for them to get their mind around industrial control system attacks,
that's much easier to go, oh, you can turn off the power
and that would relate to hospitals.
And there could be attacks that aren't actually completely legal
based on how they're conducted against civilian targets.
And it's much more obtainable for them
and something that we can
all put a line in the sand. So what it really came down to is we shared our insights that we're seeing
dealing with the threats and understanding how these threats are evolving just based on the
data we have, not trying to get too predictive here, and understanding what that could mean
in the future so that the Red Cross and other international organizations can try to get a little ahead of it.
One of those takeaways is that the industrial control system attacks usually are very specific in nature. If I design an attack on a safety system in a petrochemical environment, that's not going to scale very well.
going to scale very well. But as we have this kind of digital transformation or industry,
as we're becoming more like each other, more homogeneous in nature of infrastructure,
and as these threats are exposing more and more blueprints of how to do these attacks,
you know, the tradecraft or the TTPs or the methods to which they do the attacks,
more so than malware exploits, we're kind of hitting this convergence at the scalability of attacks. And we could start to see in the future more commoditized attacks and adversaries who aren't sophisticated state actors,
even though those aren't always all that sophisticated or mature or responsible.
But we could definitely see more criminal actors and similar, which would really escalate this to an unsafe place for the international community.
Well, and also, I mean, what comes to mind for me is something like NotPetya, where something kind of, you know, escapes and causes damage beyond what perhaps its original intentions were set out to be.
Absolutely. And there were, you know, I think a couple companies got pulled in the spotlight on that.
But there were, you know, we have an incident response statement.
We got called into a lot more than was public.
And we're talking about a significant number of companies who lost tens to hundreds of
millions in dollars based off this attack.
And again, not the public ones, which raises a lot of questions as well.
attack. And again, not the public ones, which raises a lot of questions as well. But that was off of just the fact that we had more IT systems in industrial control. We had more operations
technology than before. And one of the common themes when we were talking to executives or
presenting to their boards or similar was that a lot of the folks thought these were segmented off
plants or thought that this risk didn't exist. This is one of the things you always hear me
talking about where like the enterprise security strategy can't be copy and pasted into the industrial environment.
We need to think about an industrial security strategy.
Ransomware worms and similar are a really effective and unfortunate way to figure out asset identification.
They help people like, oh, we had a plant over there, and it was connected.
It turns out.
Yeah, exactly.
And so we are seeing a trend in the community where people are realizing after the fact
how much more risk and exposure they had than they knew about.
Then we kind of calm them down and go, hey, but our infrastructure is really reliable.
Our engineers and operators have done an amazing job over the year and know the power grid isn't just going to go out overnight because there's not even just one
power grid. But at the same time, we kind of want to lean into it and go, yeah, but based on what
we're seeing in the threats, this is going to get ugly. It's not freak out now. It's, hey,
then like a five to 10 year kind of period, things are going to get really, really heated.
And let's just get
ahead of the problem and make sure that we can at least make it safer for people to be in this world
and at a very minimum tie cybersecurity to safety on the industrial side.
How much are nations around the world on board with this idea of keeping these things off the
table? They're all completely on board with the idea of everybody but them keeping that off the table of they're all completely on board with the idea of everybody
but them keeping that off the table yeah yeah there is there's like no state i mean i don't
know maybe the vatican comes up with it or something but there's like no state that's like
hey let's deny capabilities to everybody every state is let's deny capabilities to everybody
but us and that has always been the problem.
And there's all sorts of political theories you can get into there.
And the reality is, without dragging things into the light and holding people accountable,
it's just not going to work.
But I mean, is that a peculiarity of cyber?
Because I don't think you find that around the world, people saying everyone should be able to bomb civilian hospitals except for us. Well, I think there's an accountability and a tangible nature
to things like bombing. You know, my background being in the U.S. intelligence community, and I
love the U.S. coming deep enough, red, white, and blue is probably there. But even there, like,
really stupid, sickening choices would get made or get suggested, at least. You know, I always
remember hearing the U.S. say, we will
never attack civilian infrastructure. And you go, cool, what do you consider civilian infrastructure?
Like, well, actually. And you realize that like the power provider outside of the hospital that's
also providing base power, well, that's not a civilian target. It's providing power to the base.
Like what? That is absolutely a civilian target. So I think if I like to hold the U.S. government in high esteem,
obviously, I'm extremely biased being from the U.S., but if I like to hold the U.S. government
in high esteem and even with them, I am seriously bothered by some of the questioning that takes
place. I would rather just say that probably everybody's got a similar issue around
the world and not to stereotype all countries around the world. I would just like to say
that we should probably have a non-government kind of arbiter or at least some international
public discussion. Again, if you bomb somewhere, there's generally going to be an amount of
evidence and understanding that people can wrap their head around.
If you do a cyber attack, even when we know, yeah, Russia broke into the DNC, it was like, well, did they?
Maybe the servers in Ukraine.
It's like, oh, my God.
All right.
And we need and I'm not advocating like the answer is attribution.
Actually, the answer isn't necessarily attribution. The answer in many ways is having some level of
laws, but not only laws, but norms. And then beyond the norms, some level of precedent of
actually enforcing those norms. I mean, you and I talked years ago when I said, hey, this 2015
Ukraine attack thing, not one government official has come out at a senior government level anywhere
in the world and actually publicly condemned this attack, regardless of who did it, we're setting precedent that this
is okay. And then we've just seen kind of this evolution over the years since then. And until
we start having some precedent to even acknowledge these things are bad publicly, we're in for an
interesting ride. All right, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.