CyberWire Daily - Recruiting spies via LinkedIn. WindShift in the Gulf. GlobeImposter ransomware. Blocking Telegram is harder than it looks. Policy notes from the Five Eyes.
Episode Date: August 31, 2018In today's podcast we hear that the US Intelligence Community says that China is actively trying to recruit spies over LinkedIn. Britain and Germany had earlier issued similar warnings. WindShift es...pionage group is active in the Gulf. GlobeImposter ransomware continues its evolution and spread. The Five Eyes issue some communiques about cooperation in cyberspace. Russia would like to block Telegram if it could do so without too much collateral traffic damage. Supply chain questions about Google's Titan. Johannes Ullrich from SANS and the ICS Stormcast podcast, with iPhone unlocking techniques. Guest is Andy Greenberg from WIRED discussing his recent article on NotPetya. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_31.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. intelligence community says that China is actively trying to recruit spies over LinkedIn.
The Windshift espionage group is active in the Gulf.
Global imposter ransomware continues its evolution and spread.
The Five Eyes issues some communiques about cooperation in cyberspace.
Russia would like to block Telegram if it could do so without too much collateral traffic damage.
And supply chain questions about Google's Titan.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 31, 2018.
Senior U.S. counterintelligence official William Evanina, whose formal title is Director of
the National Counterintelligence and Security Center,
warned that Chinese intelligence services are actively using LinkedIn to recruit American agents.
The Chinese recruiting campaign involves contacting thousands of LinkedIn members at a time.
The effort apparently involves catfishing.
Director Evanina declined to disclose how many bogus Chinese accounts U.S.
authorities had discovered. He also wouldn't say how many Americans had been contacted
or with what success. Evanina recommended that LinkedIn take action to purge itself of
inauthentic accounts, pointing to Twitter's recent housecleaning as a good model for LinkedIn to
consider. He was clear in that he regarded LinkedIn as a victim in this case.
LinkedIn told Reuters that they've been talking with U.S. law enforcement agencies
about Chinese espionage and that they did what they could to control catfishing and other abuse.
The company's head of trust and safety, Paul Rockwell, said,
quote,
We've never waited for requests to act and actively identify bad actors and remove bad accounts using information we uncover and intelligence from a variety of sources, including government agencies.
End quote.
Evanina's warning was motivated by the June conviction of Kevin Mallory, a retired CIA officer, on charges of conspiracy to commit espionage.
A Mandarin speaker, Mallory found himself financially pinched in retirement.
He was contacted over LinkedIn by an individual using the name Richard Yang,
who represented himself as a headhunter.
Yang arranged a contact between Mallory and a third man
who said he worked for a Shanghai think tank.
Mallory made two trips to
Shanghai during which he agreed to sell defense secrets to his Chinese contacts. Mallory, who the
U.S. government thinks probably knew full well what he was getting into, will be sentenced in
September and might get life. But hey, doesn't everybody recruit over LinkedIn? It's worth noting
that this kind of recruiting can look initially legitimate.
It's not as though you'll get a direct message inviting you to connect because, hey, you look like you might have treasonous skills.
Nor are foreign intelligence services scouring LinkedIn for profiles of people who describe themselves as
driven professionals with a passion for betraying their country, reasonable compensation to be determined in negotiation.
No, the recruiters seek to connect, elicit a response,
habituate you to talking with them, then to doing small favors or good offices,
and before you know it, you've moved from advising someone on your common hobby of stamp collecting
to handing over plans for an F-35 radar.
Maybe the contact is someone you've never met,
or maybe it's a friend of an acquaintance,
or maybe it's someone you vaguely remember swapping cards with
at that busy rootin' tootin' cyber shootin' happy hour
just outside Fort Gordon.
You remember, don't you?
They had a bull ride in the bar room and everything.
By the way, if you've
ever tried to connect with our editor and he hasn't responded, it's probably because he thinks
you're some kind of intelligence officer. That kind of suspicion, it's like a sickness with him.
He doesn't mean to be rude. A hacking crew called Windshift is exploiting macOS vulnerabilities
in an espionage campaign directed against the Gulf Cooperation Council at Saudi Arabia, Kuwait, the UAE, Qatar, Bahrain, and Oman.
The malware payload is distributed in spear phishing attacks.
They promise more details later.
There's no further attribution from Dark Matter, the security company that announced the discovery.
As difficult as it may be to look at that target list and not think of that regional rival in the Gulf Cooperation Council,
the one with the capital in Tehran, it's important, as always, to remember that many, most all, nations spy,
and that there are many services who'd be interested in the Gulf.
and that there are many services who'd be interested in the Gulf.
Kihu360 warns that global imposter ransomware is now out in more than 20 variants and they expect it to continue to evolve and spread.
The researchers consider it the most troubling family of ransomware currently in circulation.
Russia would like to block the Telegram encrypted messaging service,
but their attempts have been unsuccessful.
They haven't yet come up with a way of stopping Telegram
without also stopping a lot of other traffic,
and that's unacceptable collateral damage.
The Five Eyes, as the intelligence services of the US, UK, Australia, Canada and New Zealand are called,
in recognition of roughly a century of close cooperation,
agreed this week to increase collaboration in cyberspace.
The official communique covered much familiar ground,
determination to work against terrorism,
cooperation on law enforcement, border security,
with an emphasis on fighting human trafficking,
a shared commitment
to a safe and open internet, determination to protect children, and so on.
Four points are worth particular mention.
First, the five governments expressed a common determination to share intelligence and resources
to thwart foreign influence operations.
Second, the governments say their talks this year have focused on
tangible deliverables and practical collaboration. Third, they regret that industry declined their
invitation to participate in the discussion because none of this will work without industry help.
And finally, they're not going to give up the crypto wars. They remain concerned that
end-to-end encryption makes it too easy for criminals and terrorists to operate with impunity.
The discussions produced a joint statement of principles on access to evidence and encryption.
One concession to the pro-encryption side,
governments should recognize that the nature of encryption is such that there will be situations
where access to information is not possible, although such
situations should be rare. Google's Titan security key, introduced recently with pride and aplomb,
is manufactured in China, which has already prompted Spoilsports to spit in the soup
by asking for some transparency about supply chain security. Come on, guys, lighten up.
We're pretty sure someone we connected with on LinkedIn
told us those supply chains in China are great.
Just aces.
Monday is Labor Day here in the U.S.,
and we'll be observing the federal holiday by taking the day off,
probably to hit the Maryland State Fair up in Timonium.
We'll resume normal publication and podcasting on Tuesday.
Of course, Research Saturday will be up as usual tomorrow,
as will the week that was.
It's just Monday we're taking off.
Take a breather if you can, and we'll see you next week.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's from the SANS Institute. He's also the host of the ISC Stormcast podcast. Johannes, welcome back. We have seen a lot of stories coming by about iPhone security and how Apple has sort of been upping their game when it comes to some of the protections when it comes to the iPhone, doing time limits and so forth. But you wanted to share some news about how thieves are still managing to unlock
iPhones. What do you have to share today? Yeah, what you mentioned is really, you know,
when law enforcement tries to access a locked iPhone, they sometimes have access to these
Craylock devices, or what they're called, essentially brute force the pin that used
to lock the device. So best practice, now you lock your device with a pin code. But thieves go a little bit differently about unlocking iPhones.
They have a couple of neat sort of social engineering tricks that they tend to use.
Now, one trick, for example, is your iPhone, well, it has a removable SIM card.
The SIM card can be plugged into another phone.
Typically, that other phone now takes on the identity of
your iPhone. So that phone, which is owned by the thief, it's of course not locked.
And it will now receive, for example, text messages that are used for password reset in
some cases. And the attacker also now knows your phone number, which can be helpful for
sort of other tricks that they're
playing, like social engineering tricks. Often when your iPhone is lost or stolen, you will now,
for example, set up the iPhone in locked mode, which basically alerts you whenever it is being
found. Well, what attackers are doing now is they'll send you a fake message that appears to come from Apple that tells you, hey, your phone was found.
Click here to display the location.
Imagine what happens next.
Well, you click on the link and you end up on a phishing site.
So now the attacker is able to get the username and password for your iCloud account.
And with that, they may be able to turn off this lock on the
phone and reset it. In some cases, they may also just call you. If you display, for example,
a phone number on the iPhone, and you can do that when you mark it as lost or stolen,
they'll call you and they say, hey, we found your phone. And well, we want to send it back to you.
But we first have to know that it's actually your phone. And then they trick you into unlocking the phone in order to do this verification.
So a lot of social engineering happening here.
Now, there are a couple of things that you can do to protect yourself.
First of all, and that's a feature that's not often used, you can protect your SIM card with a pin code.
What happens is when the iPhone is turned off and you turn it back on, before the SIM card with a pin code. What happens is when the iPhone is turned off
and you turn it back on,
before the SIM card can be used,
you have to enter a four-digit pin code.
You can do this in your
cell network settings within the iPhone
and that protects yourself
from someone removing the SIM card
and plugging it into another phone.
The second thing that you definitely
should do is enable two-factor authentication to
prevent some of these phishing attacks.
All right.
It's good information.
Johannes Ulrich, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
It's my pleasure to welcome back to the Cyber Wire, Wired senior writer Andy Greenberg.
He's author of the recent Wired article, The Untold Story of NotPetya, the most devastating cyber attack in history.
NotPetya was this piece of malware that exploded across the internet in June 26th of 2017.
And it at first seemed like it was a ransomware worm,
like WannaCry, which had happened just a couple of months earlier.
But then it turned out that there was no way to pay the ransom.
It was simply a wiper disguised as ransomware.
It was just encrypting computers irreparably.
And it targeted Ukraine, but spread across the world. And it used,
I would say, three components to achieve a really virulent spread. It first used this backdoor in
this Ukrainian accounting software called Emidoc that essentially allowed NatPetya's creators a
foothold onto any machine that was running this kind of Ukrainian
TurboTax or Quicken software. Anyone who was doing business in Ukraine basically had this software.
And then within a network that was running that software on even just one machine, it could spread
by two kind of intertwined techniques. One was an adapted version of Mimikatz, the tool that can basically pull plain text passwords out of a Windows machine's memory and use those to log into any other machine that uses those credentials.
And then the other one was the leaked NSA hacking tool, EternalBlue, which had been patched, but still, there was a patch available, but it still hadn't been patched to all the machines.
which had been patched, but still there was a patch available,
but it still hadn't been patched to all the machines.
So NotPetya would use that to break into unpatched machines,
and then when a machine was patched,
it could sometimes still get access with Mimikatz.
And so with this kind of hopscotching technique of one exploit over the other one,
it could spread to thousands of computers
within a multinational company's network in seconds sometimes.
And it turned out to
just be a devastating attack and spread to companies like Maersk and Merck and
FedEx and the French construction company Sengoban and the food producer
Mondelez and just a long list of huge companies inflicting nine figure
hundreds of millions of dollars in damage to each one,
and turned out to be the most expensive malware attack in history.
Now, your article digs into the situation at Maersk in detail.
And one of the things that strikes me about this is that this crosses over the cyber domain.
We're talking about real things, real products that have to be shipped around the world.
Right.
The book I'm working on is about this hacker group, Sandworm.
And this seems to be their specialty, is that they inflict damage that does cross that line.
They were responsible for the blackout attacks in Ukraine, for instance.
And they deployed NatPetya, too.
And NatPetya did inflict this kind of physical
paralysis as well, mostly by virtue of the companies that it hit. And Maersk is the best
example of that. I mean, 17 of Maersk's 76 terminals and ports around the world were
completely shut down by this with thousands and thousands of trucks just lining up outside of the gates of those ports,
unable to check in.
It was crippling of a big part of the global logistics supply chain.
Now, one of the conclusions I think that there's general agreement on
is that this was sourced from the Russians targeting Ukrainians.
But I think there's a lot of speculation and disagreement over
whether it was intended to get out beyond that, whether it was intended to get out in the wild.
And that's something that you touched on in this article.
Well, computer worms spread by their very nature, and that means they often spread out of control,
or almost always spread out of control, it seems like.
In this case, it took literally, I don't know, minutes for NatPetya, it seems like, to spread beyond its intended target of Ukraine to all of these multinational companies that just had sometimes an office in Ukraine or a couple of computers even in Ukraine was all it took for one of those machines running this
accounting software just to become the patient zero for their infection. Whether that was an
accident is still up for debate. You know, the very least we can say that it was insanely reckless
of the Russian state to launch this piece of malware that had no controls, that had no way
of trying to determine if it was in Ukraine or not before causing all this destruction. Craig Williams at Cisco Talos made the argument to me
that it wasn't an accident that it hit all of these multinationals, that in fact, it was trying
to send a message to them to don't do business in Ukraine. This is our enemy, stay away. In fact,
I've heard before that one of Russia's goals with its ongoing cyber war in Ukraine, and this is our enemy, stay away. In fact, I've heard before that one of Russia's goals with its
ongoing cyber war in Ukraine, and this is really a multi-year thing now, is to scare away investments
and partnerships and to make Ukraine look like a dangerous failed state that you don't want to do
business in. And I think that this had that effect, whether it was intended or not. I do think that
multinationals are going to approach Ukraine differently
when they know that it's essentially a war zone and that they could be collateral damage if they even put a foot into it.
What was the response from the rest of the world in terms of policy?
How did people come down on Russia? Was there punishment?
Not initially and maybe never enough. It took
eight months for the U.S. to institute sanctions in response to this. And it took nearly that long
for really all of the Five Eyes to publicly state that this was Russia's, you know, Russia behind
this. The fact that there were sanctions is, you know, I think that that's totally the right move. But eight months is quite a long time. And then not long after those sanctions were pushed through. And it seems like the real proponents of that within the Trump White House were Rob Joyce and Tom Bossert, really the two most senior cyber officials.
left very mysteriously from the White House, and I have not yet gotten a good answer about why. We know that Trump has a very complicated story, notoriously, about responding to Russia, or
is he soft on Russia? Is he willing to hold Russian hackers to account? It seems like,
in this case, a couple of his officials were, but then they were very quickly pushed out,
from what I can tell.
So that doesn't send the right message to Putin either.
I think it's encouraging that there were sanctions.
It wasn't as unified a message as it could have been.
Will it deter the next one of these?
It's hard to say.
I mean, there were even sanctions against Russia for its election interference as well.
And it seems like that has continued in certain ways, certainly around the world. And it is hard to put Putin in a box. It seems like he resists
all forms of deterrence. So I don't know if it's enough. Yeah, it strikes me that and I don't want
to overstate it here or use hyperbole, but but it reminds me a little bit of biological warfare in the way that this sort of thing can spread and reach beyond intended targets.
And I can't help wondering if we need to head towards some sort of international norm where this kind of attack from a nation state is prohibited and nations around the world agree on that.
I think that that does sound like the right answer. I mean, we, we talk about discussions of
whether attacks on critical infrastructure are okay. And then sometimes it sounds like
they're okay in wartime. This was a wartime attack, but it, in this medium of the internet
attacks from one nation against another, don't stay in that nation. So that's what
happened here is that this was like a nation against nation attack that became a global epidemic
immediately. And that is a dangerous, new, and I think poorly understood phenomenon. And the answer
may be that we have to set rules about infectious, virulent attacks like this and just say that
they're
off limits, as you say, in the same way as biological warfare is. I mean, I think that
treating this sort of thing and attacks on critical infrastructure by hackers as a kind
of war crime seems like part of the larger solution. That's Andy Greenberg, senior writer
at Wired. He's the author of The Untold Story of Not Petya,
the most devastating cyber attack in history.
His forthcoming book is titled Sandworm,
a new era of cyber war and the hunt for the Kremlin's most dangerous hackers.
We'll see that book's release next year.
There's an extended version of my interview with Andy Greenberg over on our Patreon page.
That's patreon.com slash thecyberwire.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.