CyberWire Daily - SWIFT fraud in India. DPRK hacking updates. Notes on Russian influence ops, both indictments and continuing activity. Alleged Florida gunman may have been an Internet known wolf.
Episode Date: February 20, 2018In today's podcast we hear that SWIFT fraud has hit an Indian lender. North Korean hacking continues, even during the DPRK's Winter Olympics charm offensive. US indicts Russian influence operators�...��the Internet Research Agency is the leading defendant. Russian trolling continues, exploiting the Florida school shooting. (And the alleged shooter apparently expressed his intentions online.) Rick Howard from Palo Alto Networks, on the importance of partnering with universities to improve the quantity and diversity of people coming through the STEM pipeline.  All Five Eyes see Fancy Bear behind NotPetya. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Swift fraud hits an Indian lender.
North Korean hacking continues even during the DPRK's Winter Olympics charm offensive.
The U.S. indicts Russian influence
operators, the Internet Research Agency is the leading defendant, Russian trolling continues
exploiting the Florida school shooting, and the alleged shooter apparently expressed his
intentions online. And all five eyes see Fancy Bear behind NotPetya.
I'm Dave Bittner with your CyberWire summary for Monday, February 20, 2018.
In 2016, the Bangladesh Bank was the victim of fraud committed via the SWIFT International Fund Transfer System.
Recently, banks in Russia have reported similar fraudulent transfers,
and over the weekend, a small commercial lender in India also reported robbery through swift exploitation.
On Sunday, that country's Citi Union bank said cybercriminals had hacked its systems
and transferred nearly $2 million in three unauthorized remittances to lenders overseas.
The bank blocked one of the transfers, $500,000 designed to move through a standard
chartered bank account in New York to a lender based in Dubai. A second transfer, €300,000,
roughly $372,000, was routed through a standard chartered bank account in Frankfurt to an account
in Turkey. In this case, the Turkish lender involved prevented the transfer
from being finalized. The third transfer went through. It traveled to the Zhejiang Rural Credit
Cooperative Union in Hangzhou, China, via a New York Bank of America account, and that successful
remittance amounted to $1 million. It's worth noting that as was the case with 2016's raid on Bangladesh Bank,
the security issues appear to have been on the bank's end
and didn't represent a general compromise of the SWIFT system itself.
The Bangladesh bank heist has generally been attributed to the Lazarus Group,
the North Korean government hacking unit,
but the city union bank fraud is so far unattributed.
It's also not known who was responsible for 2017 swift-based raids on banks in Russia.
That country's central bank said last week that cybercriminals made off with 339.5 million
rubles, about $6 million, over the course of the year.
Its ongoing charm offensive in Pyeongchang aside, North Korea has continued cyber operations against its customary targets.
And according to a study by security firm AlienVault,
worms developed by the DPRK continue to circulate.
Some are unsophisticated, some more so than others,
and some have the appearance of developmental articles that got loose from their creators.
These include WannaCry, of course, and also the Bramble family of malware that's been
in circulation for nearly ten years.
Two other worms that are out and about are Rivets and Fedavor, both of which have been
served by North Korean news agencies.
Rivets has been found in the Voice of Korea website.
Fedavor has infested the Korean news agency.
Both of these appear to have initially hit targets within the DPRK.
Favidor is thought to be associated with the Dark Hotel threat group
that's aggressively prospected government and business leaders who have some interest in North Korea.
There are reports that a DPRK hacking unit has decamped from Hong Kong
and set up shop in the Russian Far East.
The Japan Times reports that a North Korean cyber ops group formerly based in Hong Kong
has left the Chinese city in an apparent attempt to evade enforcement actions by Hong Kong authorities.
They now appear to be operating from Vladivostok and engage mostly in cybercrime
designed to redress sanction-induced
North Korean financial shortfalls.
On Friday, the U.S. Justice Department announced an indictment based on Special Counsel Mueller's
investigation of election influence operations.
Three Russian organizations and 13 Russian individuals were charged with conspiracy and
other crimes related to activities during the 2016 election cycle.
St. Petersburg's Internet Research Agency is alleged to have played a significant role in what it itself called, quote,
information warfare against the United States, end quote.
Their activities seem to have consisted of a mix of conventional espionage and social media-enabled propaganda.
of a mix of conventional espionage and social media-enabled propaganda.
Among their more interesting accomplishments are alleged to have been the organization of political demonstrations, in which unwitting people disposed to believe the worst of their
opponents were induced to attend astroturfed rallies.
During the election season, their activities were directed against eventual Democratic
candidate Clinton, first in support of her primary opponent, Senator Sanders,
and then with a big push for her general election opponent, Donald Trump.
After the election, the Russian ops put on a couple of resist actions against Trump.
Discord and mistrust were the overarching goals of the alleged Russian operation.
Such operations are widely expected to continue.
And apparently, they are continuing, midterm elections or no.
There are reports of Russian trolls exploiting last week's Florida school massacre with various pro-gun messages.
When the opportunity arises, they can be expected to move to anti-gun messaging.
The goal isn't any particular policy, but rather a weakened, confused, and divided United States.
The alleged shooter in that massacre, by the way, seems to have been a known wolf,
disturbed, lone, and not apparently part of any movement. He is said to have disclosed his
intentions in various social media. A person close to the alleged shooter called the FBI
tip line on January 5th about him, and in September of last year,
a YouTuber also contacted the FBI about him. He had left a comment on a video saying,
I'm going to be a professional school shooter. But the January tip seems to have been particularly
detailed and disturbing. Florida authorities say the Bureau failed to alert them to the danger,
and Florida's governor has called for the resignation of FBI
Director Wray. The FBI itself says it failed to follow proper protocol and that it's investigating
how it handled the tips. The Bureau says it covered, quote, Cruz's gun ownership, desire to
kill people, erratic behavior, and disturbing social media posts, as well as the potential of
him conducting a school shooting,
end quote. In fairness to the Bureau, which does indeed seem to have been supine in this case,
local authorities dealt with a lot of red flags too. The Broward County Sheriff said his office
had responded to about 20 calls about the shooter over the last few years.
Finally, to return to Russian cyber operations,
they're not all confined to propaganda.
All five eyes, that is the intelligence services of Australia, Canada, New Zealand,
the United Kingdom and the United States,
have now looked at NotPetya and see the same thing,
a Russian government operation.
They receive public industry support from FireEye, which sees the work of the Russian Sandworm Group in last year's pseudo-ransomware campaign.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
$10,000 off. all the way to five-star luxury. Yes, you heard correctly. Budget and luxury, all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at... And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Rick Howard.
He's the chief security officer at Palo Alto Networks,
and he also runs Unit 42, which is their threat intelligence group.
Rick, welcome back.
You know, you and I have touched on the notion of capture the flag contests
and the importance of them.
You all have an event coming up soon.
You're partnering with the University of Alabama.
So besides plugging that, I thought maybe we'd revisit this partnering with the University of Alabama. So besides plugging
that, I thought maybe we'd revisit this notion of the importance of these events.
Yeah, you and I talked before about the shortfall in open cybersecurity jobs. Some
people predict that by next year, there'll be 2 million jobs open, meaning that the commercial
and government organizations around the world have open jobs for cybersecurity positions, but will not be able to fill them with qualified people.
So in order to help that, we're experimenting with how do you get more people interested in cybersecurity.
And one way you might do that is with capture the flag contests.
Let's talk about how even harder the problem is.
You know, it sounds easy, just train people and they can be cybersecurity people.
But it's a really trenchant problem. And here's one of the issues. We're not hiring
enough women and minorities into these cybersecurity positions. In the tech industry in general,
women make up 25% of the workforce. And if you look at cybersecurity specifically,
they only make up about 11%. And if you add an adjective that identifiers, say, a black woman
or a Hispanic woman or a religion other than Christian, that number drops below 1%.
Yeah, that's not good numbers.
Okay, so but even if you're not a diversity inclusion fan like I am, all right,
if that's not your passion project, let's just say you're trying to fill, you know,
some of your vacancies out there. If you are just being practical, in order to fill these 2 million jobs,
you need to expand the potential poll of candidates.
That means that at least half of your candidates have to come from the female gender.
Even I can do that now.
All right.
So, I mean, let's get out there.
Let's hire more women.
What's keeping us from doing that?
Well, you know, as is always the truth in the world, the problem is way more complicated than you think it is.
It turns out that you have to get a lot of things right to be successful here.
So first, you have to keep women and minorities that you already have employed happy in your workforce.
And, you know, happy that they're there.
And what I mean by that is that the environment is toxic for whatever reason.
You know, there's a bro culture or there's unconscious bias against women and minorities,
or even if there's conscious and sanctioned bias against them,
women and minorities are not going to stick around.
So we have to fix that issue.
Second is that you have to develop a culture within your own organization
that is pro-diversity and inclusion if you ever want to hire new employees.
And that means that leadership of your organization has to stand up and say
that diversity and inclusion is an important part of the company culture,
not only because it's the right thing to do,
but because a more diverse group gives us better ideas about how to solve the company's problems.
This is a leadership thing, and more old white guys like me need to stand up and own this thing. Right. And then lastly, this is the hard part. You have to hire qualified people.
I am not suggesting that you have to lower your standards to hire these employees that you want.
What I'm saying is if you are hiring for an open position and if you are wading through a stack of
resumes, if at least half of those candidates are not women and minorities, you're doing it wrong.
But OK, so but let me play devil's advocate here.
And, you know, how about getting women into the pipeline, women and minorities?
I've heard hiring people say, I'd love to hire these people, but I'm not getting the resumes on my desk.
Yeah, you know, I just don't accept that notion.
OK, you're the cyber helps out with the women in tech conferences.
I attended the Grace Hopper conference last year.
They claim it's the largest gathering of female technologists on the planet.
And I got to tell you, I couldn't collect resumes fast enough because there were so many talented women there.
But it is true that too many young women, sometime between their junior high and high school years, they tend to lose interest in STEM subjects.
And I had to look it up because I always say the word STEM, but I never remember the acronym.
It stands for science, technology, engineering, and math.
So as a community, we don't really understand why that happens that well, but you can't really argue that it isn't happening.
really understand why that happens that well, okay, but you can't really argue that it isn't happening. One potential solution is to find ways to keep young women as early as elementary school
engaged and inspired about the cybersecurity field before they start to lose interest,
because it's really tough to capture them again once they've walked away. So what my organization
is trying to do, what many are trying to do, and what we're doing in the next couple of weeks is organize cyber
events for young people. The idea is to capture their interest early and keep them interested.
So we're hosting one on February 24th at the University of Alabama at Birmingham.
We're running a capture the flag contest organized by the school's grad students.
We have some 20 high school teams participating, and Palo Alto Networks is
giving away $20,000 of scholarship money for the winners. So help me understand here why Palo Alto
feels that this is a good place to invest this kind of money. Yeah, you know, and it seems small,
right? You know, 20 teams is not that big, right? But here's the thing. There are hundreds of these
cyber events going on in the country right now.
And that must mean everybody thinks it's a good idea is why I bring this up.
Here's a problem that I've noticed, though.
We're all stovepiped.
No one group is talking to everybody else.
It's tough in that environment to judge what is working at a national and international scale and what is not.
I think this is a perfect thing for a government agency, maybe DHS, to get behind.
You know, organize a national cyber event program where we could collect everybody under
one umbrella.
I don't mean they own everything.
I just mean they could, you know, everybody's part of this big organization.
So we could figure out what organizations need resources.
We could collect some stats and we can share what's working and what's not.
OK, this is one way we could scale the effort. And, you know, I've heard from the people who do the
hiring that these capture the flag contests are ways for people to differentiate themselves on
the resume side. Yeah. I mean, you can definitely pick out the talent. I mean, we've done this one
at the University of Alabama. This is the second year we've done it. When we did it last year,
you can definitely say, oh, I want to get that guy's information or that person's information
because they're going to be talented and going to be great for us going forward.
All right, Rick.
Well, good luck with the event.
It's coming up at the University of Alabama.
We hope you get lots of people come out for it.
Thank you, sir.
Cyber threats are evolving every second, Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com