CyberWire Daily - Recent email threats to US voters appear to be an Iranian operation. Notes on cyberespionage and influence operations. Hold the “blatant Russophobia,” TASS?
Episode Date: October 22, 2020Emailed election threats to US voters are identified as an Iranian influence operation, disruptive, and so more in the Russian style. Both Iran and Russia appear to be preparing direct marketing influ...ence campaigns. Cyber criminals are also exploiting US election news as phishbait. Seedworm is said to be ‘retooling.” Caleb Barlow from Cynergistek on contact tracing and privacy as students head back to school. Our guest is Jadee Hanson from Code 42 on juggling priorities and protecting her organization as external and internal threats constantly take aim. And TASS deplores the “blatant Russophobia” of recent Five Eyes’ official remarks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/205 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Email election threats to U.S. voters are identified as an Iranian influence operation,
disruptive, and so more in the Russian style.
Both Iran and Russia appear to be preparing direct marketing influence campaigns.
Cyber criminals are also exploiting U.S. election news as fish bait.
Seedworm is said to be retooling.
Caleb Barlow from Synergistech on contact tracing and privacy as students head back to school.
Our guest is J.D. Hansen from Code42 on juggling priorities and protecting her organization as external and internal threats constantly take aim.
And TASS deplores the blatant Russophobia of recent Five Eyes official remarks.
From the Cyber Wire studios at Data Tribe, I'm Elliot Peltzman, sitting in for Dave Bittner, with your Cyber Wire summary for Thursday, October 22, 2020.
The U.S. Director of National Intelligence yesterday said that the threatening emails
received by voters in several states were the work of Iranian threat actors.
See the AP for a general account. Both KnowBefore and Proofpoint
have published discussions of the emails. The text looked much like that found in Sextortion
Phishing, except that in this case, the threat conveyed was that the attackers knew who the
voters were, where they lived, and would visit them with violence if they did not vote for
President Trump's re-election.
We asked KnowBefore when they sent us their analysis if this didn't amount to phishing without fishhooks.
KnowBefore's response, quote,
As for CyberWire's question, they're correct.
At first glance, this does appear to be a phishing email, as it resembles classic sextortion emails that are now very common.
That said, there are no malicious links or attachments, and no demands for money. The email mainly demands votes and
changes of voter registration." The senders claimed to represent the Proud Boys, a white
supremacist fringe group, but that claim was quickly disavowed and debunked. The threat the
emails conveyed is also no more credible
than the threats conveyed by their sextortion models.
The intent appears to have been disruptive.
Whatever Tehran takes its interests to be, as Defense One notes,
the re-election of President Trump is unlikely in the extreme to figure among them.
Proofpoint said, in response to a question we
sent them, that they had no direct insight into the party affiliations of the people who received
the emails. The emails themselves accused the recipients of being known Democrats, but that of
course doesn't mean that they were or are. And various news outlets have said that people
registered as Republicans or Independents or Libertarians or Bread and Roses members or Prohibitionists or whatever
may well also have received emails.
Republicans and Independents, anyways.
We're just speculating about the others.
All this suggests poor aim in what amounts, in terms of tactics, techniques, and procedures,
to a direct marketing campaign.
in terms of tactics, techniques, and procedures to a direct marketing campaign.
The Washington Post quotes the Foreign Policy Research Institute's Clint Watts,
whose Twitter feed has an instructive discussion of why,
on grounds of sheer argument to best explanation,
the operation looks like one of Iran's.
It's ill-timed, for one thing, and runs against the interests of the Trump campaign,
whatever the text of the email might say.
President Trump is, as we noted above, not exactly flavor of the month in Tehran.
Above all, it's sloppy. We can see that.
Marketing campaigns for, say, vacation timeshares or jazzercise franchising opportunities would be better directed.
or jazzercise franchising opportunities would be better directed.
To say nothing of the rifle-shot accuracy of association Chrome or Amazon serve up piping hot.
The Wall Street Journal reports that the Director of National Intelligence also said that not only Iran, but Russia too, had obtained voter registration data.
Such data are in most U.S. jurisdictions,
matters of public record, freely available,
and authorities expect to see more use of such information
in the final weeks before the election.
So, of course, the claim in the emails
that the attackers had penetrated election systems is hooey.
No Before added, in their reply to our questions, quote,
Moreover, it's worth pointing out that the entire threat in this email turns on the claim to have
penetrated election systems, giving whoever is behind these emails the ability to monitor users'
election behavior. That's just not a credible claim, as it is simply not believable that a
group that had managed to penetrate election systems
would be advertising the fact in such a public manner for several weeks before the election.
We would expect any group that penetrated those systems to be sophisticated enough to hold their tongues and bide their time,
waiting for the opportunity to do real damage come election day.
End quote.
The Washington Post characterizes the threat as
long-expected, quote, targeting voter confidence rather than ballots and run on the cheap,
probably with publicly available data, end quote. As we said, direct marketing but selling fear and
mistrust as opposed to sports memorabilia or garden duels, or, well, you get the picture.
Not every election-related activity is espionage, however.
There's plenty of opportunity to go around.
Reuters reports that Facebook, in its latest discussion of the inauthenticity it continues to whack,
says that criminals in many countries, from Albania to Vietnam, Reuters says alphabetically,
since apparently Zimbabwe is cybercrime-free,
are taking opportunistic advantage of the U.S. elections to stage various criminal campaigns.
Many of these will involve phishing, so be on your guard.
And not every Iranian cyber espionage effort is devoted to impersonating the Proud Boys, either.
Symantec has an update on the activities of Muddy Water, the Iranian threat group also known as Seedworm.
The researchers say that Seedworm is retooling and has brought the Paugup tool into its arsenal.
Seedworm's targets are regional rivals, Iraq, Turkey, Kuwait, UAE, and Georgia.
TASS is authorized to disclose that accusations of misconduct in cyberspace leveled against the Russian government in general,
and the GRU in particular, are not only baseless, but amount to blatant Russophobia.
They're talking about the U.S. indictment of the six GRU officers
and the British denunciation
of that same GRU
for a wide range of offenses,
ranging from hacking Olympic Games
to murdering people with nerve agent.
But TASS says it's all a bum rap
and regrettable
and people shouldn't make such accusations
and so on.
Says TASS.
All you russophobes, you.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
In a year full of surprises, there's a lot on the minds of CISOs.
Let's hear now from Code 42's CISO, J.D. Hansen. She sat down with Dave recently to talk
about juggling priorities and protecting her organization as external and internal threats
constantly take aim. I think it's really important to remember that our mandate as
security professionals hasn't changed. Our job is to protect the company in whatever circumstances
we're in. And I also think it's really important that we remember to stick to the strategies and
the plans and the maturity programs that we have in place. You know, the one thing that
we do have to account for is a shifting landscape. And so, you know, we need to stick to our
strategies but at the same sense, like we need to bring in kind of shifting landscape.
So maybe that's a different type of attack vector one quarter and maybe that's everybody's
working from home another quarter. I think as we look to 2021, one of the things that we're going to continue to be challenged with is just how do
we make sure to stick to our strategy and this new work from anywhere methodology. I don't anticipate
that changing anytime soon. And so what, for me, one of the things I think about is just how do I
maintain the right level of visibility to everybody that is sitting in their home office?
In the old world, we relied on networks
and people in the office.
Now our networks span to everybody's homes.
And we need to make sure that in 2021,
we're really thinking through how do we enable that?
How do we have the right tech in place and the right
visibility in place to enable that? And so I think some of the shift in 21 is going to be where we
rethink the endpoint. We get away from anything network and we think about how do we have the
right visibility on the endpoint to continue to secure the companies that we work for.
Based on your experience, looking forward, I'm thinking of advice to other CISOs out there
as they're trying to make their plans for the coming months and into 2021.
the coming months and for into 2021. Any advice, any tips or guidance for best practices and what people should be aiming their sights on? Yeah, a couple of things. One, I'm kind of going back to
what I said earlier. I really think that this shift away from the network is something that
we have to embrace. We got to think about what is the technology that we need on the endpoint to have the right visibility and the right security controls.
So that that would be one.
The other thing that I would recommend, too, is to really think about like how we need to collaborate in this work from home world and how the security team can really support that.
Yes, we need to protect their data. Yes,
we need to make sure that we're not, no one's exfiltrating data, but at the same sense, like
we have to support the collaboration that needs to happen. And, you know, now more than ever,
we need technology that allows collaboration from team to team. And so thinking through in 2021,
how do you do that? How do you do that in a safe way?
And then finally, just really that focus on employees. So as you think about 2021,
like what do our employees need? What's the culture that you need to drive as part of the
organization? It can't be the same as the safety that everybody felt in the office prior to
pandemic. We need to think about this differently.
That's J.D. Hansen from Code42.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergist Tech.
Caleb, it's always great to have you back.
You know, I wanted to touch base with you as kids are considering going back to universities.
Some places are going back to universities, some places are going back to schools,
and we're also talking about contact tracing apps
and all that sort of stuff.
I mean, this is a lot of information that's being shared,
and there are some privacy implications here.
And I know that's something that you've been thinking about.
Well, the first thing to recognize in this, Dave,
is that there's a little bit
of a public health cyber war game going on here
in that the winners and losers and the pace of recovery for the U.S. as well as across
the globe will in a lot of ways be determined based on who has access to data, access to vaccines,
access to information on treatments. So there's a lot of froth, let's say, in the nation-state
world to get access to this
type of data. But now if we also look at, well, what are people gathering in contact tracing?
And, you know, I recently looked at, you know, the surveillance program that some of these
universities are putting in place. And they even, interestingly enough, use the word surveillance
testing. They're doing things like wastewater testing, because that's one of the early ways you can identify COVID.
Students have to agree to random tests at any point in time.
They're going to have to, you know, kind of get marched off and go get a COVID test.
In a lot of cases, they're checking into their dorm room, to the cafeteria, to various classrooms, scanning a QR code.
And, of course, every security professional hears the word QR code and starts to cringe because we all know you can embed, you know, applications in a QR code,
right? But here's where it gets even more interesting is some of these schools are even
saying, hey, look, you know, we've got this wireless network. We're going to track where
you move based on the Wi-Fi hotspots. And we're going to maybe
even put a application on your phone. But don't worry, we're all going to put it in a FERPA
database and it'll all be safe. And look, this isn't just universities. This is also employers.
In some cases, employers are using, you know, ultra wide band employee badges to track where
you are in a facility and who you get near. But here's the big thing that this has that we've never had before in kind of our private data
stream. Like we've all lost our healthcare data at this point. We've all lost a whole lot of
personal information and location data and all that stuff, you know, either from being stolen
or from advertisers using it. But the one big thing that we've never really had to tackle with before is who are we associated with?
And all of that is now in this data.
And that's not just who I went to class with.
That's who I'm dating.
That's who I'm married to.
That's maybe who I'm having an affair with, right?
All of that is now in this contact tracing data.
Well, so where's the balance there?
I mean, if these efforts are being conducted in good faith, for good reason, in the middle of a global pandemic, how do we strike that balance? Well, I think that's actually easy. There's no
question we need to do this, right? I think any healthcare professional
is going to look at this and say,
yes, this is something we really do need to do.
But there's two things we need to do with it.
One, when do we stop doing it?
And we need to think about that
before we start doing it, right?
When is the point where we back away
from collecting this data?
What do we do with the data when we're done with it, after the
crisis has passed? And I think the third thing we've got to think about is, as fast as we're
rallying to get kids back to school, to get people back to work, every security professional needs to
be standing up and saying, okay, this is a new risk, a new vulnerability, not on my watch. How am I going
to rally just as fast to lock this data down and control it so it can't be stolen and inadvertently
used? And look, if we all respond to that rallying cry, then we're going to get through this together.
The mistake will be if the security teams don't go in right behind them and lock this data down.
Hmm. All right. Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Our amazing CyberWireman. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.