CyberWire Daily - Winnti and other Chinese espionage activity. Volume I of the US Senate report on election meddling is out. Ransomware from Sabine, Louisiana, to Johannesburg, South Africa.
Episode Date: July 26, 2019Winnti and other Chinese threats have been active against German and French targets. The US Senate Intelligence Committee has issued the first volume of its report on Russian operations against US ele...ctions--this one deals with infrastructure. Louisiana declares a state of cyber emergency over ransomware. Johannesburg’s power utility is also hit with ransomware. And you could get up to $175 from the Equifax breach settlement. Daniel Prince from Lancaster University on experimental protocols for ICS security systems. Guest is Joseph Menn, author of The Cult of the Dead Cow. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Win-T and other Chinese threats have been active against German and French targets.
The U.S. Senate Intelligence Committee has issued the first volume of its report
on Russian operations against U.S. elections. This one deals with infrastructure.
Louisiana declares a state of cyber emergency over ransomware. Johannesburg's power utility
is also hit with ransomware. And you could get up to $175 from the Equifax breach settlement.
from the Equifax breach settlement.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, July 26, 2019.
A joint report by BR and NDR
describes the long-running Winti industrial espionage campaign
against major German companies.
The targets were drawn from the DAX-30, a set of blue-chip companies listed on the Frankfurt Exchange.
Winti's operations go back to 2011 and showed a familiar mix of intelligence and criminal motivation.
The initial attacks seemed purely criminal and were directed against Karlsruhe-based gaming company Gameforge.
By 2014, the group had moved on to industrial espionage against chemical and pharmaceutical
firms, starting with Dusseldorf's Henkel, whose adhesive technologies were of interest.
The operations against French targets had a political motivation, according to L'Opinion.
Chinese operators worked to manipulate voting at
the UN to prevent a French candidate from election to the international body's agriculture and food
portfolio. The U.S. Senate Intelligence Committee has released the first volume of its report on
Russian election interference. No new revelations, but the scope, intent, and methods of Russian
operations in 2016 are plainly documented.
This volume of the report focused on threats to election infrastructure,
with a consideration of influence operations to come later.
The report concluded that extensive activity targeting election systems had begun by 2014, at least,
and that much of that activity targeted state and local election infrastructure.
All 50 states received attention from Moscow between 2014 and 2017.
The level of activity is alarming, but the good news is that the committee found
no indications that votes were changed, vote tallying systems were manipulated,
or that any voter registration data was altered or deleted. The federal government
did provide warnings at the time, but the committee regards those as insufficient and
often directed to the wrong people. Further volumes will no doubt deal with influence
operations. In the meantime, the Washington Post notes that it's not just Russia. Other countries,
especially Iran, have also gotten into the business. Russia has shown
the greater sophistication, but Iran hasn't been too far behind. Russian information operations
tend to be opportunistic, their goal being degradation, not persuasion. Iranian operators
like to persuade and tend to be a bit one-note, establishing sock puppets that retail stories
from Tehran's official media and that tend to focus on the Islamic Republic's line.
States of emergency in the U.S. are generally declared in the aftermath of natural disasters
like hurricanes and ice storms.
Now one has been declared in response to a set of cyberattacks.
The governor of Louisiana has declared a state of emergency in response to
ransomware attacks on school districts in three northern Louisiana parishes, Sabine, Morehouse,
and Wuchita. Governor John Bel Edwards has declared the emergency to invoke special powers
the state now makes available for response to cyber incidents. Files have been encrypted and
systems are generally down throughout the
school districts. This is exactly the second time a state has declared an emergency over a cyber
attack. Colorado did it last year when its Department of Transportation was hit by SAMSAM
ransomware. A note on Louisiana local government. A parish in Louisiana is what other states would
call a county, a level of government between the municipal and the state.
It has only an etymological religious significance.
A parish is a civil institution.
A South African city's electrical utility has been interfered with by a cyber attack.
City Power, the electrical utility that serves Johannesburg,
was hit by ransomware, according to multiple reports in
the local media. The attack didn't cause a power failure, but it did induce a kind of service
disruption. Customers who prepay for electricity are unable to do so because many of City Power's
public-facing business services have been taken offline. The Johannesburg attack is therefore
similar to the incident Baltimore is still recovering from.
In the U.S. case, it was water billing. In South Africa, it's electricity.
In Baltimore's case, the mayor's office has backed off from earlier claims that the city was hit by rogue NSA Eternal Blue attack code.
It now acknowledges that the attack was Robin Hood ransomware
and not sinister stuff making its way up I-95 from Fort Meade.
The city is still investigating and recovering, but it can't say too much because the investigation
is still ongoing. They have released the names of the companies Baltimore has retained to help
with the investigation and remediation. They're FireEye, Clark Hill, Secular, DynTech Services,
So does it scale? Who hasn't asked, or at least heard that question?
With respect to content moderation, the answer seems to be, not painlessly and not without a lot of labor.
Content moderation at YouTube, Facebook, and Twitter is largely done in a very labor-intensive fashion,
with employees in the Philippines looking at an awful lot of awful,
the Washington Post reports.
It's not clear that it could be otherwise.
Whatever hopes are being vested in the algorithms,
they're apparently not up to speed yet.
And finally, The Verge and others are explaining how to apply for Equifax breach compensation.
Don't expect too much.
You might get up to $175 if you're lucky.
So don't spend it all in one place.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at
Lancaster University. Daniel, it's great to have you back. We wanted to talk today about some
work that you've been doing about testbeds and designing experiments around industrial control
systems. What can you share with us today? Well, thanks for having me back. So we do a lot of work
here at Lancaster University around industrial control systems, cybersecurity, particularly
around the technological end, the operational technology end. And we've had several years of experience of building large-scale testbeds
which mimic, credibly, real-world environments.
And we've noticed in the literature more broadly,
there's been quite a significant focus on the creation of testbeds
and how to create credible testbeds that when you perform your experimentation on,
you can scale those results up to the different types of implementation, so water or other
utilities, for example. But one of the things that we've been starting to look at now is,
you know, effectively building the testbeds is really your scientific apparatus. What does it
mean to perform high quality scientific experimentation
on those?
And actually, are we building those test beds as high quality scientific apparatus as well?
So it's not just about establishing the credibility, but also how do you actually perform experiments
on these industrial control systems test beds so that we can really learn some interesting
concepts that we need to take forward into the field.
Can you give us some examples of how those two things intersect?
Yeah, so when we think about building a test bed, one of the things we do is establish that as a scientific apparatus, as a replication of a real world environment, which is effectively what a lot
of scientists do with their lab equipment. they think about how does this chemical reaction, you know, or whatever it might be, the physical experiment is that
representation of a real world environment. We have really focused on creating the apparatus
as best we can. But then how do you actually perform the experiment on top of that? What are
the protocols? What are the issues around the apparatus that you're using?
What are the restrictions? What are the conditions? So we can't go out and build a whole water
treatment work, for example. It's too complicated. There's too many real world processes. So how,
when we're setting up an industrial control systems testbed, how do we make sure that the
equipment that we're putting in, so the operational technology, the industrial control systems, that's correct.
How are we making sure that the physical processes that we're putting into that, those are correct and they scale up to the real world environment.
Then when we perform the experiment, whatever that might be, so that might be a penetration test, that might be understanding a new intrusion detection system, that might be understanding a new piece of technology for protection that goes in there.
How do we ensure experimentally and with experimental rigor that those results would be repeatable within a real world environment?
And if they aren't necessarily 100% the same, what are the caveats that we need to put around the experimental results
that anybody taking our information and working in the real world need to understand so that
they can put additional maybe security controls in and around that?
How much of this, if any, involves checking in with the folks who have that experience
out in the field, the folks who can say, yeah, you know, the manuals all say
to do this, but everyone who's out there actually knows that this is something you have to look out
for. That's the credibility aspect. And that's one of the things that in some of the papers that
the folks here have written about is one of the key things that we always try to establish
with the apparatus, for example example so whenever we implement say an
industrial control system for something like a water treatment plant we always then try and
check that with a range of field engineers or other sort of technical roles say is this actually
what would happen it and that establishes the credibility of the test bed and that's an essential
part but what we're really interested in now is making sure that we are doing rigorous experimentation.
So that if, say, for example, we gave the same testbed apparatus with the same experiment to
somebody else, how do they do that in such a way that they can get similar results? It's not just
wildly divergent, depending on who does the experiment, we want to really
understand what it means to have highly defined experimental protocols around the results
production that we can then really take forward into the industry to get them to understand the
issues around the experiment, but also to be able to extrapolate those results to two slightly
different environments. All right. Well, Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Joseph Men.
He's a longtime investigative reporter on technology issues, currently working for Reuters in San Francisco.
He's the author of several books, the latest of which is titled Cult of the Dead Cow,
How the Original Hacking Supergroup Might Just Save the World.
So the Cult of the Dead Cow was born in Lubbock, Texas in either 1984 or 1986.
And it started out in the bulletin board era where people had 300 baud modems.
And in order to connect online it was
a tremendous effort and not very satisfying these guys the originals were you know young teenagers
11 12 13 you know they'd gotten kicked out of the sort of like the local bulletin board
for being like too young and ignorant so they wanted to be elite by themselves, so they created their own bulletin boards.
One of them was Demon Roach Underground.
So that was the home board of a kid
who took the name Swamp Rat,
which was later more delicately named Grandmaster Rat.
His real name, I put in the book, is Kevin Wheeler.
You know, he was a misfit.
Most of these kids are misfits.
They're smart, but they didn't, you know, fit in with the culture in Texas.
And they were really desperate to communicate with each other.
So they had these Walton boards.
And back then, frequently only one person could connect at a time.
Right, right.
And so it was really tedious.
So by necessity, the early folks are early tech adopters because they're the ones who would have put up with it.
They build this sort of virtual clubhouse for themselves and their other group of friends that they gather together here.
So how then does it evolve to sort of common activities and efforts that they're making as a group?
Right. So there are a number of keys or transitions.
In the beginning, what brings them together, this group of independent bulletin board operators,
were the Colt the Dead Cow text files. So text files are just essays. They could be fiction,
they could be nonfiction, they could be about, hey, in the case of the CDC, some of them were
about hacking and some of them were just, you know, funny. So it was sort of like underground paper, like underground newspaper, high school underground newspaper
type stuff. Some of them were political, they're frequently funny, and sometimes they're obscene.
They distributed them, you know, to other bulletin boards. And there were a lot of like important,
like sort of marketing decisions that the group made. And one of them was to number these text
files, other bulletin boards would want to have on hand like CDC, you know, numbers one through 10, or so forth, you
know, they didn't, they wanted a complete set. And so while other, many other bulletin boards did
text files, the CDC ones got spread pretty widely and got, you know, famous for that era of the
internet. As the group grows grows or are they putting any sorts
of guardrails on themselves it went i'm thinking of um you know dealing with things that might be
illegal um you know i remember back in the those bbs days uh you know phone freaking was a popular
thing because you had to deal with things like long distance charges was there tolerance of that
sort of thing or did they
self-police themselves? How did it work?
So this is very interesting and I go into this in quite a lot of detail in the
book. In the beginning, everybody was stealing long distance service because if the bulletin
board wasn't in your area code, then you had to pay long distance fees or your parents had to pay long distance fees
in order to connect.
And, you know, these you're going to be online for a while, particularly if you're trying
to download anything, a program, a game, anything like that.
You're going to be connected for a long time, much, much longer than you would be to just
chat to your cousin or some friend on the other side of town.
So these kids were all looking at multi-hundred dollar phone bills, and the parents would
cut them off after one month of that.
So they basically all scrambled to get calling card codes, credit card numbers, or other
ways, illicit ways to connect online.
And so there was kind of this moral forge that happened where everybody had to consider,
you know, what was okay
about breaking the law and was it better was it okay morally some for some reason to steal from
uh at t because they're you know they did you know you didn't disapprove to them politically
or they're a monopoly or whatever you know it's it's hard to justify as as an adult but you know
when you're 13 and you really really want connect, you're willing to cut some corners. But what's interesting to me is that people do their own moral lines,
there was this why there was a wide variety, some of the people in CDC did many more things
that were considered criminal. But it was never a focal point of the group. And it was
for some others like Legion of Doom, Masters of Deception, quite famously, and they were
breaking into all kinds of stuff and you know and hacking each other in pretty serious ways,
which led to a lot of them being arrested.
And that was never what CDC was about.
But I think one of the most interesting things is that these guys who sort of grew up with
figuring out, knowing exactly where the law was,
and deciding, in some cases, where to cross that line,
actually makes them more reflective about what is appropriate and what isn't than the clean-cut kids that
are just coming into cybersecurity today that went to a nice college and went for a big
company and just start doing cybersecurity things.
Those people can be kind of sleepwalked into doing things that they might later think is
a bad idea.
These guys, a lot of them are really generalists and we're really curious about other parts of the security setup.
And, you know, one of the things I admire about CDC is that, you know, they went beyond the technical stuff and sort of approached the media and politics with that same sort of critical hacker mindset.
and politics with that same sort of critical hacker mindset. We need to make things better writ large. And maybe we don't know anything about how Congress works, but we'll figure it out if we
have to. It strikes me that as a group like this that starts out with a bunch of people who are
teenagers and young adults, that it can survive this long, that it can survive that initial group going into adulthood and having to face all the things that all of us do as we become adults with bills to pay and families and so on and so forth, that it's been able to survive those changes I think is quite remarkable.
I think is quite remarkable.
It's not only remarkable, it's unique.
There is no other U.S. hacking group that has had anything like that kind of a career.
It's funny, depending on somebody's age and when they came into the scene,
some people will say, oh, yeah, CDC.
When I first got online, those were the first text files I saw.
And other people that came in a little later, it's like, oh, yeah, I was just starting to hack. And the first tool I used was Back Orifice, which was one of those publicly released anti-Windows tools.
And then other people who say, oh, yeah, the first thing I heard about them was I was into politics,
and I heard about this thing called hacktivism, which is something that the CDC invented.
So all these successive phases of security work or internet culture,
the CDC was in the forefront. Now, the subtitle of the book is How the Original Hacking Supergroup
Might Just Save the World. What's your notion here that they could be the group to save the world?
Well, they've already done, as I've outlined, some pretty amazing things, right? There's AtStake, which included people
like Alex Stamos, who went inside and became chief security officer at Yahoo, which he left
on principle after a secret court order asked for Yahoo to turn over, to search all of its users'
emails for something. And then he went inside Facebook as chief security officer and blew the
whistle on Russian election interference. So I think historically a very important move. Also from at stake, we get Windows Snyder, who was the driving force between Windows XP Service Pack 2 at Microsoft, which was a great leap forward in Microsoft security.
in Microsoft security. And then there's Katie Masuris, who is sort of known, I guess, as the like a godmother of the bug bounty movement. She got Microsoft to pay its first bug bounties,
got the Pentagon to pay hackers who are also working within a friendly framework.
And then there's Veracode. So Chris Rue, the same guy who wrote Back Orifice 2000,
the 99 sequel to Back Orificeifice founded veracode with another member
of the loft chris weisopel and veracode was the allowed big software buyers to see what the
binaries in the code that they paid for were actually doing as opposed to just looking at
what the source code thought they should be doing and that really was another way to tip the scales
away from the software oligopolies and monopolies to the customers who have been generally left in the dark and with very little recourse.
So there are those things. There's the entire hacktivist movement, which continues to this day in various flavors. But I think really more than anything, it's the idea of critical thinking that hackers as sort of outsiders and critical thinkers have
tremendous value for society, and this sort of sense of moral purpose. And I think big tech is
in a lot of trouble right now, not just security, but big tech is in a lot of trouble right now,
because it lost touch with those roots, with the sense of technology being something that is
supposed to make people's lives better. It's been about improvements in technology and
about profit. And it hasn't really been about helping people. And I think a lot of that is
because the people running these companies didn't go through this sort of moral forge
that the old school hackers did. Well, the book is The Cult of the Dead Cow.
Joseph Mann, thanks so much for joining us.
Thanks for having me, Dave.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast Thank you. next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.