Jan 10, 2019

Axios Codebook

Joe Uchill

Welcome to Codebook, the cybersecurity newsletter that really likes your shoes.

Don't forget to send me story ideas by replying to this email.

1 big thing: Hacker recruiting goes corporate

Photo: Spencer Platt/Getty Images

The Dark Overlord, a cybercriminal collective known for targeting a few flashy, high-profile victims, is hiring. They've even posted a help wanted ad, archived by the threat intelligence firm Digital Shadows — and their job listing is more like "The Office" than "Mr. Robot."

Why it matters: If you imagine hacking and cybercrime as an alternative subculture of punk kids with keyboards, think again: Hacking groups are businesses of a sort, and some of them are borrowing the language and recruiting techniques of the mainstream.

The Dark Overlord's job listing, posted in November, is a window into IT hacking as a daily-grind office job.

  • "Very corporate," said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. "If you saw that ad pop up on Indeed, you’d think it was an average tech company."

Background: The Dark Overlord is the group that famously threatened to leak "Orange is the New Black" and "Game of Thrones" content if networks didn't pay up. More recently, the group has begun leaking documents from insurance providers related to 9/11.

"Must have a winning attitude." According to the job listing found on the KickAss hacker forum, "If you're goal oriented and used to objectives and achieving them, you're perfect for us."

  • The listing is pure Silicon Valley, sprinkling corporate programming buzzwords and human resources jargon amid tightly organized subheadings.
  • The job listing requires 10 years' experience in software design, network management or systems administration, with 5 years working in a "team-based cooperation environment."
  • Applicants "must be able to bring innovative approaches to the operations and work outside-the-box regularly." They'll need to submit to certification and skills testing. ("We do that too!" notes Holland.)
  • The Dark Overlord offers either a salary or commission payment structure. Save for the higher figures (the job pays a starting salary of as much as 50,000 British pounds a month), the salary option would fit in any office park. There's a 90-day probationary period with the potential for a raise after a year.

The bottom line: View The Dark Overlord as a late-stage tech startup trying to grow its workforce after early buzz wore off and some of the original talent has begun to depart.

  • The TV and 9/11 hacks, including a promotional site for the "Game of Thrones" operation, have kept the group's public profile aloft.
  • But Holland says business has been down for The Dark Overlord. Deposits into the groups cryptocurrency accounts have dwindled.
  • Meanwhile, there has been turnover at the office. Digital Shadows notes that the group allegedly recently lost some of its talent to arrests — a problem less common, though not entirely unheard of, in the more conventional tech industry.
2. Internet address hijacking spree tied to Iran

FireEye reports that a multiyear, global campaign of hacking government, telecommunications and internet infrastructure systems has ties to Iran.

Why it matters: The previously untracked hacker group uses a technique known as DNS hijacking, which is uncommon for campaigns of this scale.

DNS, or the Domain Name System, is like the internet's equivalent of a telephone operator switchboard. It changes web addresses like "axios.com" to numeric internet addresses.

  • DNS hijacking changes the record of domain names to point to different internet addresses, rerouting traffic to a different system the hackers have chosen.

Details: These attacks targeted dozens of victims in the Middle East and North Africa, Europe and North America, and they were clustered between 2017 and the present.

  • The hackers used internet addresses previously used in attacks attributed to Iran, which FireEye notes implies a connection to Iran.
  • However, basing an attribution on internet addresses alone is not generally considered particularly strong, and FireEye is not ready to say outright that the attackers are Iranian.
3. Report: Tribune ransomware attack was criminals, not nations

McAfee assesses that the ransomware attacks that hobbled the distribution of the Los Angeles Times and other Tribune papers in late December were carried out by a criminal group, not a nation, as the Times itself had reported.

The intrigue: Attackers used Ryuk ransomware, a variant of Hermes ransomware that has been used by the North Korean Kim Jong-un regime to funnel cash to the nation. But McAfee notes that Ryuk and Hermes have each been offered commercially on a Russian hacker forum, which appears to be the source of recent infections.

That doesn't mean it's impossible for North Korea to be behind the Tribune attacks. But Ryuk's use alone doesn't strongly suggest the attack was from North Korea.

4. Forget a global right to be forgotten, says EU bigwig

Google will likely win its plea to limit European privacy rules known as the "right to be forgotten" to web searches in the European Union, according to a determination by Advocate General Maciej Szpunar summarized here by Reuters.

Why it matters: The "right to be forgotten" gives people in the EU the ability to demand Google remove some links about them from search results. In 2016, France declared that those links had to be removed from search results globally and not just within the EU, which Google is currently challenging.

The big picture: Szpunar took Google's side in the case, and the EU courts generally follow the advocate general's lead.

5. Reddit locks accounts in "security concern"

Photo: stockcam/Getty Images

On Wednesday, internet megaforum Reddit locked "a large group of accounts" due to a "security concern," according to an administrator's post.

What they're saying: "By 'security concern,' we mean unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access," wrote colorfully nicknamed admin Sporkicide.

6. Odds and ends
  • The ACLU opposes attorney general nominee William Barr as "the godfather" of controversial government surveillance programs. (ACLU)
  • In a bombing case, German police are asking for the public's help locating the owner of the system sporting a networking identifier known as a MAC address. ( ZDNet)
  • It's not so much that conservatives share more fake news on social media as it is senior citizens sharing more fake news — and senior citizens are disproportionately conservative (The Verge)
  • There's a new majority in the House. We're still sorting out what happens to committee Twitter accounts. (The Atlantic)
  • Social scientists are arguing over whether the oldest woman in history was a fraud. (The Verge)
Joe Uchill

Codebook will return next week, when we'll be even more honest than ever before.