CyberWire Daily - Where’s Kim Jong-un? Disinformation campaigns against European targets. Cyberattack against wastewater treatment plants. Hupigon RAT is back.
Episode Date: April 27, 2020Reports to the contrary, as far as anyone really knows, North Korea’s Kim is still large and in charge. Poland reports Russian disinformation effort. The EU issues a controversial report on COVID-19... disinformation amid accusations that Europe is knuckling under to Chinese pressure. A cyberattack on wastewater treatment systems in Israel is reported. And the old Hupigon RAT is back, and looking for love. Caleb Barlow from CynergisTek on his responsibilities during an incident from the SOC operator to the CEO, guest is Dave Weinstein from Claroty on threats and existing security violations facing the U.S. critical infrastructure. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_27.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reports to the contrary, as far as anybody really knows,
North Korea's Kim is still large and in charge.
Poland reports Russian disinformation effort.
The EU issues a controversial report on COVID-19 disinformation amid accusations that Europe is knuckling under to Chinese pressure.
A cyber attack on wastewater treatment systems in Israel is reported.
Caleb Barlow covers responsibilities during an incident from the SOC operator to the CEO.
Our guest is Dave Weinstein from
Clarity. He discusses threats and existing
security violations facing the
U.S. critical infrastructure.
And the old Huppagon rat is back
and looking for love.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 27, 2020.
We begin by addressing a story that's still developing and that remains inconclusive,
but which, if borne out, could have significant implications for conflict in cyberspace.
significant implications for conflict in cyberspace. Reports have been circulating since last week that North Korean leader Kim Jong-un is either dead or incapacitated,
possibly as the result, some outlets say, of heart surgery gone wrong. The New York Times
offers a representative sample of such stories, but Reuters reports that South Korean authorities
remain skeptical that Mr. Kim is anything but in charge.
Reporting on the secretive North Korean regime is notoriously difficult,
and most experienced observers think that the health of the Kim family is the most closely guarded of all secrets.
Kim Jong-un hasn't been seen in public recently, but that's happened before,
and the cautious South Korean official assessment is probably the safe bet, at least for now.
According to the New York Times, Polish security services say that the country has been subjected to a complex disinformation operation
whose structure and apparent goals are consistent with earlier Russian influence operations.
The centerpiece of the campaign is a fake letter posted to the website of the War
Studies Institute, a defense academy for senior Polish military leaders. Purporting to be from
the Institute's director, the letter calls for Polish soldiers to fight American occupation.
The website itself was hacked, compromised in order to post the letter, which of course is a
complete fabrication. The attribution to Russia is circumstantial but convincing nonetheless.
The disinformation is entirely consistent with earlier Russian-influenced campaigns
in both content and the ways in which its messaging has been amplified
in small journalistic outlets and social media.
U.S. forces have moved progressively eastward with NATO expansion in that direction.
Their presence doesn't begin to approach the size of the U.S. forces have moved progressively eastward with NATO expansion in that direction. Their presence doesn't begin to approach the size of the U.S. Army Europe during the height of the Cold War,
but U.S. forces remain, from Moscow's point of view, as unwelcome as ever.
The content of Russian messaging and such influence operations has generally been consistent.
U.S. troops behave badly, and they're not needed,
and their presence is a standing affront to national sovereignty.
Russian disinformation also prominently featured in a report the EU issued at the end of last week
concerning disinformation campaigns
that seek to take advantage of the COVID-19 pandemic.
It's familiar stuff.
Moscow is interested in using the emergency
to increase mistrust among and within its adversaries.
More interesting, however, and controversial,
is the report's treatment of Chinese disinformation surrounding the pandemic.
The European External Action Service's Internal Memorandum on Disinformation Efforts
reached substantially the same conclusions as the U.S. State Department.
Russia, China, and Iran have engaged in highly harmful disinformation that's gone viral,
especially in smaller media markets.
The assessment we mention is the EEAS internal report.
According to the New York Times, EU officials, under pressure from Beijing
and desiring to achieve more amicable relations,
delayed publication of the report from
Tuesday until Friday and softened the harsher conclusions about China before rendering their
public statement. In the Times' judgment, the original report was not particularly strident,
a routine roundup of publicly available information and news reports. The Times reports
that Chinese government protests to EU officials
were responsible for the delay in publication. For its part, EEAS has denied modifying its report
under Chinese pressure. An EEAS spokesperson told URACTIV TV yesterday, quote,
we have never bowed to any alleged external political pressure, end quote. Differences
between the two drafts are of the purely editorial sort
that commonly arise when an internal document is revised for public distribution.
A spokesperson said, quote, as is the case for all publications, there are internal procedures
in place to ensure the appropriate structure, quality, and length and particular attention is
paid to ensure that the phraseology is unassailable, end quote. Indeed, the public
report does retain most of the internal memorandum's charges against Beijing.
In the meantime, the BBC reports that China has also rejected an Australian-led call for
an investigation into the origins of COVID-19, dismissing it as politically motivated efforts
that would serve nobody any good.
As the BBC paraphrased Chen Wen, a senior diplomat in China's mission to the UK,
quote,
There were lots of rumors about the origins of the virus, but such misinformation was dangerous, she claimed,
and said it was like a political virus and as dangerous as coronavirus itself, if not even more so.
End quote.
A British official speaking with the BBC on condition of anonymity said there was nervousness about confronting China since relations with Beijing are presently delicate.
Chinese Foreign Ministry spokesperson Zhang Shuang said at a regular press briefing this morning,
China always opposes the fabrication and spread of disinformation by any person or institution,
according to Beijing-headquartered CGTN.
The foreign ministry's position is that there's no reason to think the virus originated in China,
and that, insofar as disinformation is concerned, China is more sinned against than sinning.
In fact, in Beijing's view, it's not sinning at all. They're the real victims here.
For a summary of Chinese active disinformation about the coronavirus, see the EU's External
Action Service's original internal report, widely available online and linked to on the Cyber Wire's
coverage of the cybersecurity dimension of the COVID-19 pandemic. Pages 7 and 8 make a particularly snappy read. Dave Weinstein is
Chief Security Officer at Clarity. He's a non-resident fellow at New America National
Security Institute and former CTO of the state of New Jersey. He offers his insights on threats
and existing security violations facing the U.S. critical infrastructure.
Security with respect to critical infrastructure is still actually a fairly nascent field when you look at it on a macro level. That is to say that most critical infrastructure owners and operators are relatively immature with respect to protecting their operational technology networks.
with respect to protecting their operational technology networks. That's largely a factor of the burgeoning connectivity
between their information technology networks and their OT networks.
So four or five years ago, there was much less of a compelling reason to,
for example, monitor your ICS network because it enjoyed a relatively
high amount of security due to its isolation from the rest of the public-facing infrastructure.
That has all changed in recent years and organizations are compelled to take
more proactive measures to lock down their systems. So it's still
nascent, but the curve is increasing rather quickly as critical infrastructure asset owners
and operators look to bring down the risk as fast as they can. How are the organizations that provide
these critical infrastructure components?
How are they doing when it comes to applying standards and taking the steps to make sure that the systems are secure?
Actually, they're doing really well.
And they're a very significant and often underappreciated piece of this puzzle. So I'm glad you asked the question.
piece of this puzzle. So I'm glad you asked the question. As you know, there's a relatively small group of manufacturers that mass produce industrial control systems. And these industrial
control systems are found in our factories, they're found in our power plants, they're found
in our substations. And as I alluded to at the outset, there was never a real compelling reason
to design these systems with security in mind. There was no encryption in place,
there was no authentication. But that has changed, of course, over the last several years. And
they're really taking the lead to build security into their products from the outset.
That's Dave Weinstein from Clarity.
Israel's wastewater treatment infrastructure appears to have been subjected
to a coordinated series of cyber attacks over the weekend.
The AlgaMiner quotes official sources as saying the attacks were unsuccessful
and that service has
been uninterrupted. And finally, Proofpoint reports that the venerable Hupagon remote-access
Trojan, venerable by internet standards since it's been around since 2006, has been repurposed to
lure American university students with adult-themed dating fish bait designed to attract the lovelorn
and insufficiently
skeptical. While Hoopagon has been used by state-sponsored organizations, Proofpoint thinks
that in this present round it's being distributed by criminal gangs with commonplace criminal goals.
But should you receive an offer to get to know Ashley, a student who's looking for adventure,
or to make the acquaintance of Laura, an artist who loves funny men,
please do think twice.
You will receive a nice helping of Hoopagon,
whose features include, Proofpoint says,
rootkit functionality, webcam monitoring,
and the ability to log keystrokes and steal passwords.
It may be old, almost as old as Ashley and Laura claim to be,
but as commodity malware, it still
poses a threat, even if it is looking for adventures with funny men. Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Caleb Barlow. He is the CEO at Synergistech. Caleb, it's always great
to have you back. We wanted to talk today about some of the responsibilities that different folks have during an incident at all ranges of the organization.
What do you have to share with us today?
Okay, so these are what I like to call the primary three duties that you have to think about when you're responding to a cybersecurity incident or you're building a runbook.
And let me first say, Dave, this is not
a legal construct. So all your folks over at the Caveat podcast actually could probably have some
fun with this, but these are not legal constructs. They're more of ethical obligations of leadership
during a crisis. And part of the reason why I wanted to talk about this is we're all thinking
about crisis response as we kind of deal with coronavirus,
and a lot of people are busy kind of updating their runbooks. So, you know, these are three
things you can really look at in your runbook or your plan and say, have I covered this?
So the first of them is what I call the duty to respond. And this is all about answering a couple
simple questions. Who detects and responds to an incident?
And here's the tough one, Dave.
How do you determine if an incident is of magnitude?
Now, that sounds really simple, but let me tell you, it's really hard.
Who decides?
You know, who decides if a thing is a thing and kind of pushes that big red button to, you know, rally the troops and the team?
Because remember, you don't necessarily have a lot of information when it first happens.
And then lastly, in this kind of duty to respond, how do you communicate that an incident has occurred, realizing that the incident may affect your communications?
Do you have emergency notification systems or ways out of band to get a hold of people?
What about the chain of command when it comes to these things of handling that internal communication?
I mean, is this a time when it's okay to skip around, jump levels,
or do we have to – is it important to maintain that line of communication?
Well, you know, it's critical to maintain a lot of communication, but who's in charge gets really
intriguing because I would argue when the incident, the first sign of the incident, the person in
charge is that person in the sock that's eyes on glass. But over the course of the incident,
as the incident elevates, likely the person in charge
starts to change. And this brings us to the second duty, what I call the duty to convene.
So at this point, you've decided you have an incident of magnitude and it's time to convene
your team. You've effectively pressed that big red button. Who's part of that group and who makes
the decisions? Not trivial to figure out.
I imagine, too, this is a big practice like you play sort of thing where, you know, from your experience running these simulations, that's a very different thing than just having it laid out in a binder, you know, step by step on paper.
Oh, absolutely. And this, Dave, brings us to the next duty, which is the duty to act.
Oh, absolutely. And this, Dave, brings us to the next duty, which is the duty to act.
Because at the end of the day, having a plan's great. If you're not willing to kind of pull the proverbial trigger, plan isn't any good. And you've got to make decisions quickly with
limited data. So who's going to make those decisions? How do you handle lines of succession?
How do you make decisions quickly with limited data and evaluate
that risk? And then here's the big one most people aren't willing to do. How do you ask for help?
How do you reach out to law enforcement or cyber counsel or, you know, competitors even? Some of
the biggest incidents I've worked have completely changed because I was willing to reach out to my
direct competitor and say, hey, are you seeing the same thing I'm seeing? Because if you aren't,
then I've got something wrong on my end. And if you are, then we both need to act right now.
Yeah. And I imagine, you know, learning to put ego aside is critical, but so hard to do.
Well, and I'll give you a perfect example of this.
So if you remember back to NotPetya,
everybody was saying, oh, it must be phishing, right?
No one was thinking it could actually be SMB.
And I remember my team was working in this,
and like, Caleb, we cannot find the phishing email.
I'm like, keep looking.
They looked all night through literally
one billion phishing emails. They
couldn't find it anywhere. And I'm like, man, I can't go public with this. If this is phishing,
I'm going to look like an idiot. So I ended up calling up Dave Maynor, who was at Cisco at the
time, my direct competitor. And I'm like, Dave, I got to fess up to them. I can't find it. And
he's like, thank God you called, Caleb. I can't find it either. And it was that moment where, because we're both willing to talk to each other as competitors,
they realized, wait a second, this isn't phishing. This is something else. And it completely changed
how everybody was looking at the response. And, you know, lo and behold, we found open SMB ports,
right? And no one thought, ever thought that was possible, But you've got to be willing to reach out to others and ask for help, even when it's uncomfortable.
Yeah.
All right.
Well, Caleb Barlow, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.