How do you determine which threats directly affect your organization, and which are irrelevant?
The week that was.
A leaked NSA document describes a two-stage Russian election influence campaign (and the alleged leaker is arrested).
On Monday the Intercept published a leaked, classified, NSA report that detailed Russian hacking during 2016's US elections. In August of that year an election software vendor sustained a phishing attack apparently aimed at gaining access to credentials that would permit reconnaissance and inspection of voting systems (for the most part voter registration databases). After the initial compromise, a spearphishing campaign against various state and territorial election officials was mounted. This seems more of what's long been known or suspected: voter registrations lists appear to have been compromised, but there's little evidence that vote counts themselves were susceptible to manipulation (Ars Technica).
On Saturday, June 3rd, the FBI interviewed and arrested a 25-year-old US Air Force veteran, Reality Leigh Winner. Since leaving the Service in February, Winner had been employed in the state of Georgia by Federal contractor Pluribus International. The Justice Department announced that Winner has been charged with "removing classified material from a government facility and mailing it to a news outlet, in violation of 18 U.S.C. Section 793(e)" (Department of Justice). She is alleged to have printed and removed the classified report from a secure facility on May 9th. Authorities learned of the leak last week when a news organization, unnamed in official reports but presumably the Intercept, sought to authenticate the material (Motherboard).
The Intercept has refused to name its source, and in any case it's possible they received the material anonymously. Edward Snowden thinks Winner's prosecution would be an assault on freedom of the press, but that, of course, is hardly what the lawyers would call an admission against interest. Why the news outlet would have shown a copy of the document to the "US agency" (presumably NSA) for authentication it is unknown, and seems odd. They would have done a better job of protecting their source had the people they shown it to not been able to see folds and a printer's steganographic dots. WikiLeaks' Julian Assange is on the warpath against the Intercept for what he regards as outrageously negligent journalistic malpractice (also not an admission against interest) (Daily Beast).
Winner served in the US Air Force as a cryptologic language analyst (with proficiency in Pashto and Farsi). She last served in the 94th Intelligence Squadron at Fort Meade, Maryland, home of NSA and US Cyber Command (Air Force Times). Airmen serving as cryptologic language analysts are intelligence specialists "responsible for translating and analyzing messages" (US Air Force). Winner will plead not guilty; by some accounts she's considering a strategy of appearing sweet and inoffensive (WSB-TV). The Federal magistrate judge has ordered her jailed pending trial (Chicago Tribune).
It's unknown how successful the Russian influence attempts described in the leaked report were. But observers note that the US Government's "cut it out," naming-and-shaming efforts (Politico) seem to have had small effect, since the Russian campaign (attributed to Fancy Bear, that is, the GRU) continued into the election season's final weeks NPR). Russia's President Putin's comment on this and other aspects of the long-running controversy over election influence comes down, essentially to yolki palki, fiddlesticks: it's all "a lot of nonsense." Besides, he doesn't even know US President Trump (Military Times).
Best Practices for Applying Threat Intelligence
Former FBI Director Comey testifies before the US Senate Intelligence Committee.
Former FBI Director Comey's testimony Thursday before the US Senate Intelligence Committee has proved a Rorschach test: within limits, it's complex enough for observers to project onto it what they will (and they've done so). WIRED's headline writers put it this way: "James Comey said exactly what you wanted him to say" (WIRED). There's indeed much on which partisans may fasten (and fasten they have). Among the points seized on are these: Comey said that President Trump lied about the reasons for the firing (Foreign Policy), that there was no evident collusion between the Trump campaign and Russian intelligence services (Washington Examiner), and that President Obama's Attorney General pressured him to characterize the Bureau's criminal investigation of former Secretary of State Clinton's handling of classified information as a "matter," not an "investigation" (CBS News).
He was most unambiguous, however, about the scope of Russian influence operations during the US Presidential elections. "There was a massive effort to target government and near-governmental agencies, like non-profits." The former FBI Director said he became aware of the campaign in 2015, which would be around the time Cozy Bear began its quiet snuffling at US political networks, and long before Fancy Bear barged noisily into the Democratic National Committee's emails. There were, Comey said, "hundreds of entities" targeted, and so the operations were not confined to the DNC.
As Comey put it, "a foreign government used technical intrusion to shape the way we think" (Computing). Much commentary has talked up the novelty of the operation, representing election influence as something new under the sun. But of course it's not, and Comey was quite clear on that point, describing such operations as representing long-standing Russian practice. "They'll be back," he noted.
To summarize some recent Russian operations post-November, they appear to have taken a swipe at President Macron's campaign in France and possibly at the snap elections Prime Minister May called in the UK. The UK case is interesting in the organized sockpuppetry in Twitter apparently mobilized in the interest of Labour leader Corbyn (Express). Influence efforts in France seem to have had little effect. Whatever took place in the UK was overshadowed by terrorism and ongoing controversy over Brexit. Prime Minister May's Tories lost their majority but retained a plurality, and so she will seek to form a coalition government (Reuters).
Anomali this week published a special report, "Election Security in an Information Age," that provides context and historical perspective for understanding influence operations.
What do AI and machine learning mean for cybersecurity?
Hacks with diplomatic consequences.
Six Arab governments severed diplomatic ties with Qatar Monday, citing that country's alleged support of extremism (Foreign Policy). Diplomatic tension has run high since May 23rd, when the Qatar News Agency (QNA) published favorable remarks about Iran and Israel. QNA said it was hacked, and that the statements were malicious fabrications, but Egypt, Saudi Arabia, Bahrain, Yemen, the United Arab Emirates, the Maldives, and one of the competing regimes in Libya weren't buying it (CSO). The development has greatly complicated US efforts to promote an "Arab NATO" that would take a leading role in the fight against extremism (Defense News). The diplomatic rift has also complicated Chinese plans for a "new Silk Road" trade arrangement in the Gulf region (South China Morning Post). The US FBI has been assisting with investigation of the incident; the Bureau attributes it to Russian actors, perhaps criminal, perhaps governmental, in all likelihood the usual mix of the two. Governmental motives in this case are easier to project (Guardian).
Over last weekend two other hacking incidents affected Gulf countries: Bahrain's Foreign Ministry's Twitter account was hijacked, apparently to protest that country's suppression of dissent (News24), and a hitherto obscure hacktivist group, "GlobalLeaks," promise to release discreditable emails from the United Arab Emirates' ambassador to the US (Daily Beast). GlobalLeaks' threatened doxing has yet to materialize, but another hacking campaign is in progress in Qatar, where Doha-based al Jazeera reports sustaining a prolonged and persistent distributed denial-of-service campaign. The technical culprit is said to be a version of the Mirai bot-herding malware (Ars Technica).
Feel vulnerable to insider threats? 74% of organizations feel the same way.
Really well-known wolves.
One of the London terrorists killed during last Saturday's attacks, Khuram Shazad Butt, was so well known that not only did the police have his name, but he was even featured in a British television documentary that aired on Channel 4 in 2016, “The Jihadist Next Door” (ABC News). He was apparently a disciple of, and collaborator with, radical Muslim cleric Anjem Choudary (Fox News). Butt was not only under MI5 surveillance (Independent), but his brother had received a grant from police to work against radicalization of Muslim youths; apparently the brother was sincere in his counter-radicalization work (Times).
In furtherance of investigation, Apple hinted Monday that it had turned over relevant metadata to British authorities (TechCrunch).
British security services are receiving a great deal of criticism for missing, or disregarding, signs of dangerous jihadist activity, especially by people who left the UK to fight for ISIS abroad, and then were permitted to return. Some critics point to what they see as a temptation common to most security agencies: a strong desire to wash one's hands of a problem when the problem departs the country to make mischief elsewhere.
Prime Minister May's renewed efforts to restrict end-to-end encryption attract unfavorable comment from those familiar with encryption (New Scientist). Not only does the known-wolf phenomenon seem to render terrorist encrypted comms beside the point, but most inspiration is open, not encrypted (Wired). How her plans to restrict encryption will proceed now that she's lost seats in the snap election she called remains to be seen.
Germany's Federal Prosecutor's Office Thursday announced the arrest of a Syrian national who had served as a conduit between terrorists and the ISIS news agency Amaq (Generalbudesanwalt).
It's worth noting the heavy toll in suffering and grief jihadist terror exacts in Muslim-majority countries, too: terror isn't confined to the dar al-harb.In the ISIS view of the world Shi'ite Muslims are hardly less, maybe even more, objectionable than Zionists and Crusaders. Two massacres in Tehran this week drove the point home: Iranian authorities say the five killers were known fighters for ISIS, presumably responding to the pack's howling of Ramadan inspiration (Military Times).
Accelerate Malware Analysis with Orchestration (Webinar, June 22, 2017)
Information operations don't lend themselves readily to technical countermoves. Beyond the blunt instrument of lock-down censorship, which can be and often has been circumvented, a more effective, discriminating response would seem to lie in information itself, what some have called counter-messaging. Why countries and cultures adept at marketing fail so dismally at marketing-in-battledress, which is what such information operations come down to, calls for some analysis and introspection. America, to take one such country and culture, excels at selling stuff, including shiny, noisy, meretricious geegaws, but falls miserably sort when it tries to sell ideas like "you won't be rewarded in paradise for the murder of the innocent." Russia, to take a different country and culture, struggles to sell cars or pop music, but seems to enjoy success selling the idea that Qatar is simultaneously supporting the mutually incompatible goals of ISIS, Israel, and Iran.
Part of the difficulty appears to lie in the easy willingness to conflate ideologies with very different goals and an appeal to very different constituencies. ISIS, the Ku Klux Klan, and Sendero Luminoso may all count as "violent extremists," but to lump them together as amenable to being dealt with in the same way is probably to mistake the problem (War on the Rocks). A jihadist's motivations and commitments differ greatly from those of a Maoist killer, which in turn have little in common with those animating the isolated losers of some rump Klan Klavern. Some such will always be little more than what former FBI Director Comey described last year as the "screwed up individuals" who are with us always (the CyberWire), but others can't be so easily dismissed.
Google, fundamentally an advertising company wrapped in impressive technology, has a sister think-tank under its holding-company parent Alphabet that's devoted some thought to the problem. The think tank, Jigsaw, believes that effective counter-messaging depends on engaging the human at the right time with the right information. It helps, for example, if you can discern someone's nascent interest in jihad, and present them with "the dark side of ISIS" before they buy their ticket to Syria. By then it's too late. So the technology is an adjunct for human engagement, not a magic fix for trolls, bullies, and, especially, terrorist inspiration (Wired).
And, of course, attribution, deterrence, and retaliation.
President Putin may call pointing to Russia a lot of nonsense; still, there've been a lot of Fancy Bear and Cozy Bear sightings over the last two years. Attribution does remain tough, and consequently so do deterrence and retaliation. It's usually obvious who launched a missile, much harder to determine who loosed a worm. Microsoft, which has pushing for a cyberspace Geneva Convention that would place large regions of the Internet off-limits to attack, has called for formation of a non-governmental organization, an international NGO, that would handle and broker attribution (NDTV).
The US Congress takes the matter up from the other end, considering legislation that would require the Department of Defense to notify Congress within forty-eight hours of undertaking offensive or defensive cyber operations outside an active theater of operations. Notification would also be required when the Department reviewed cyber weapons to determine their legitimate use under international law. Covert operations would be excluded (Defense One).
Criminals are out there, too: it's not all spies and hacktivists.
The familiar Turla cyber gang has returned, hiding their command-and-control infrastructure in creative ways, including Instagram posts about Britney Spears (HackRead).
Data breaches are also still a problem. A database of US cars' VIN numbers (and the cars owners, some ten million of them) has been exposed online; it's expected to prove valuable to thieves (Help Net Security). And researchers at 4iq have found a major breach at educational service provider Edmodo, with data on more than seventy-seven million unique users circulating in the dark web (4iq Delve Deep).
Several new Android infestations have been found, including some leading to drive-by infection (Zscaler). At least two malicious apps have been circulating. One masquerades as a security product implausibly purporting to be from Google: "Ks cleaner." It secures admin rights on infected devices and uses them to display ads, download other apps, etc. (HackRead) Kaspersky has found rooting malware "DVmap" hiding behind a simple puzzle game, "colourblock," and Google has ejected this one from the PlayStore (Threatpost).
The straightforward news: this week's patches.
Several major vendors patched their products this week. Google's June Security Bulletin for Android is out (TrendLabs Security Intelligence Blog). Google also fixed more than fifty vulnerabilities in Chrome (Threatpost). Enterprises are applying mitigations for EternalBlue vulnerabilities in Windows 10 (Threatpost). Cisco fixed issues in its Prime Data Center Network Manager (Threatpost). VMWare addressed critical vulnerabilities in its VSphere Data Protection Solution (TrendLabs Security Intelligence Blog). And IBM "quietly" released a fix for an old, known bug in its Spectrum Project backup solution (Threatpost).
Finally, marketplace notes.
Cyber considerations are increasingly important in mergers and acquisitions (iTWire). They famously complicated Verizon's acquisition of most of Yahoo! when Yahoo!'s big data breaches came to light, but that deal will finally close Tuesday (Mercury News). Layoffs are expected (Ars Technica). With talent scarce, hiring managers elsewhere might take a look at those being let go: many good people will find themselves between opportunities.
This CyberWire look back at the Week that Was discusses events affecting Bahrain, China, Egypt, France, Germany, Iran, Israel, Libya, Maldives, Qatar, Russia, Saudi Arabia, Syria, Ukraine, United Arab Emirates, United Kingdom, United States, and Yemen.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.