Feb 28, 2019

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter that just sort of assumes you know all the lyrics to "Threepenny Opera" (see below).

1 big thing: Reading Cyber Command's message to Russia

Russian President Putin appears on a computer screen in a 2006 live webcast. Photo: Denis Sinyakov/AFP via Getty Images

According to a Washington Post report (and confirmations in Russian media), U.S. Cyber Command disrupted the internet access of Russia's Internet Research Agency on Election Day in 2018 — a clear attempt to send a message to the so-called "troll farm" to back off.

Why it matters: The gambit is a public example of the Defense Department's new "defending forward" emphasis in cyber defense, which aims to enter foreign networks to disrupt potential attacks.

The big question: Does sending signals this way work? Experts from intelligence, national security and academia seem to think it's at least worth a chance.

The big picture: The IRA hackers are Russia's most prominent purveyors of social media misinformation. But they work year-round, election years and not.

  • Stifling the group on one day — even Election Day — would not be a crippling blow. That doesn't mean the move was meaningless.
  • Michael Morell, former deputy director of the CIA and current host of the Intelligence Matters podcast, explained it like this via email: "The action was most likely designed to do two things: one, stop any activities that Moscow may have had for Election Day itself, and two, send a message that we can — and will — reach out and take such actions in the future." 
  • "And, yes," he continued, "such a 'statement' can be effective. If an adversary believes that they are not going to be able to do what they want to do, they may well not even try. It is an important part of deterrence."
  • "Demonstrating that we are willing to make it more difficult for cyber adversaries and to throw up hurdles for them is worth doing,” said Lisa Monaco, former assistant to the president for homeland security and counterterrorism in the Obama administration.

Yes, but: There are multiple unknowns on both sides of the message.

  • As of now, we're aware of two components of Cyber Command's signaling campaign: the Election Day move and an earlier effort to contact IRA operatives directly and ask them to knock it off — a not-so-subtle hint that we could identify who they were.
  • But there very well might be more than just those two actions in play.
  • "Will we look back 10 years from now and think November 2018 was when everything changed? Probably not," said Ben Buchanan, an assistant teaching professor at Georgetown whose book, "The Cybersecurity Dilemma," concerns how nations interpret cyber actions. "But it could be part of a larger effort that could have a bigger effect, for better or for worse."
  • Buchanan doesn't think there's much chance that Russia would misinterpret this kind of signaling. But signaling campaigns can be tricky, he said. "There's no shared understanding of what cyber actions mean. They're more ambiguous than troop deployments."

What's next: With cyber activities, it's hard to gauge what will provoke a response and what kind of response that would be.

  • But Michael Daniel, former White House cybersecurity coordinator and current CEO of the Cyber Threat Alliance, said via email we should anticipate some kind of response: "That’s why we need to be careful and judicious in the use of these capabilities, because the potential for escalation is high."
2. 🎵 Scarlet Widow starts to spread 🎵

The Nigerian romance scam gang Scarlet Widow has evolved toward using more business email compromise techniques, reports email security firm Agari in a follow-up to work released earlier this month.

Business email compromise? BEC scams convince organizations to transfer money to criminals, thinking they are transferring money to creditors.

Scarlet Widow is now targeting 30,000 individuals in 13,000 organizations across 12 countries — though most of the targets are U.S.-based, and most of nearly all the remainder are in the U.K.

  • Targets include the Boy Scouts, the Midwest Archdiocese of the Catholic Church and a major arts festival.
3. Illinois man pleads guilty to DDoS-for-hire scheme

Sergiy Usatyuk of Oak Park, Illinois, pleaded guilty to orchestrating millions of server-crashing distributed denial-of-service (DDoS) attacks for hire.

DDoS attacks overload servers with so much traffic that they collapse.

Details: Usatyuk and a co-conspirator operated a number of different DDoS-as-a- service websites (often called "stressers" or "booters").

  • One, ExoStresser, launched more than 1.3 million attacks.
  • The outfit amassed $550,000 from the scheme.
4. Rep. Quigly argues for more election security funds

Voters cast their ballots, Las Vegas, Nevada, Nov. 8, 2016. Photo: Ethan Miller/Getty Images

At a hearing yesterday, Rep. Mike Quigley (D-Ill.), chair of the House Appropriations Committee's subcommittee on financial services and general government, argued for the necessity of a Democratic plan to increase elections funding.

Background: Democrats want to add more than $1 billion to election security efforts as part of a broader election security push, beyond the $380 million distributed to upgrade systems last year.

What they're saying: "We saw an overwhelming demand for assistance. Every single state and eligible territory requested grant funding, and the Election Assistance Commission has disbursed every single dollar of the $380 million," said Quigley, according to the official transcript.

5. Trump uses his Putin reasoning in Kim answers

During his press conference with North Korean leader Kim Jong-un, President Trump said he took the Pyongyang dictator "at his word" that Kim didn't know about a U.S. prisoner allegedly tortured into a vegetative state in a North Korean prison.

Why it matters (to cybersecurity): This is largely the same reasoning that Trump used to deny Russia was involved in election hacking during the 2016 election after a summit with Vladimir Putin: "They said they think it’s Russia. I have President Putin; he just said it’s not Russia.”

Our thought bubble: Trump was skeptical about the Russia attribution before the summit, but the similarity suggests a broader pattern of behavior. While the president's critics argue that Trump's Russia comments reveal a fealty to Russia, maybe, just maybe, the comments show Trump's willingness to take even reviled figures at their word after they speak to him face to face.

6. Odds and ends
  • The website of the Bangladeshi Embassy in Cairo is spewing malware: (Trustwave)
  • Facebook pushes back on Project Veritas "stunt." (The Verge)
  • The FTC takes on its fake Amazon review case. (Ars Technica)
  • A note from Russian state media: "Russia willing to work with US on cybersecurity, but Washington stalls." (RT)
  • IBM is sorry it used Brazilian and South African terms in asking for the race of internship applicants, especially given the results: "White," "Black," and "Yellow." (Ars Technica)
  • Social media security firm ZeroFOX adds an image analysis tool to its kit. (ZeroFOX)
  • Intel released new security testing products, including an open source firmware testing tool. (Intel)
  • AlienVault is now AT&T Cybersecurity. (CBR)
  • An unpatched PDF bug is targeting Chrome users. (ZDNet)