2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
The week that was.
An apparent espionage campaign was (apparently) a glitch.
What looked like a Border Gateway Protocol (BGP) hijacking campaign Monday seems to have been the result of error. Traffic from Google enterprise-focused services was routed inexplicably through Chinese and Russian ISPs apparently because of a fumbled upgrade, swiftly remediated, at Nigerian ISP Main One. The incident amounted to a denial-of-service condition for Google business users that lasted for a little less than an hour and a half (WIRED). Main One publicly acknowledged responsibility, and outlined how the issue arose. Not everyone is convinced. A Tel Aviv University researcher and co-author of a paper on BGP hijacking as an espionage threat, said it would be easy to misrepresent attacks as nothing more than errors (Reuters). So, probably an error, but also an instructive reminder of the security and availability issues surrounding BGP, and of the risk of hair-trigger attribution of cyberattacks.
What the brightest minds are saying about network security.
Operation Shaheen and the White Company
Cylance reports a cyberespionage campaign, "Operation Shaheen." It's unusually sophisticated—prepped, staged, evasive, and quiet—and targets Pakistan's military, especially the air force. Cylance researchers named the campaign after the Shaheen falcon that provides Pakistan's air force emblem. They call the threat actor "the White Company" because of the great care it takes to cover (whitewash) its activities. Cylance evaluates the White Company as a nation-state actor, but doesn't say which nation-state (CSO).
Securing the Vote: How Easily Could Our Elections Be Hacked?
More Spectre and Meltdown vulnerabilities reported.
University researchers have reported seven new variations on the Spectre and Meltdown transient-execution chip flaws. Two are Meltdown variants (a protection key bypass and a bounds check bypass). The remaining five are Spectre variants: either pattern history table or branch target buffer vulnerability. Researchers say the flaws haven't all been addressed by vendors, but Intel at least disagrees (SecurityWeek).
Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace.
The state of information operations.
Russian intelligence services weren't entirely quiet during the US midterm election cycle (USA Today), but they were apparently less active this year than they were in 2016. Why that's so, and why even their low-cost and probably low-risk trolling seemed attenuated, remains unclear, but speculation turns to a mix of possible explanations: US Cyber Command deterrence, more suppression of inauthentic accounts, US indictments of individual Russian operators, better Federal and state cooperation on election security, the inherently more disparate nature of midterms, and, finally, a sense on the Russians' part that they've already done enough damage to civic trust and civil discourse. President Putin may have been content to relax and let American rancor do his work for him (Wall Street Journal).
Facebook seems more willing to tackle trolls than it was in 2016. A New York Times report says the social network did a lot whistling in the dark during that presidential election cycle.
Get your copy of the definitive guide to threat intelligence.
GPS jamming during NATO exercises.
NATO’s large Trident Juncture exercises conducted in and around Norway last week saw apparent Russian jamming of GPS signals with the evident intent of disrupting the wargames. Russia had objected to the exercise—largest since the Cold War’s Autumn Forge exercises—as “sabre-rattling.” Trident Juncture opened on October 25th and wrapped up on November 7th. Russia denied any involvement in the jamming (Times).
Indiscriminate GPS jamming isn't just an operational nuisance, but a clear threat to safety of navigation as well. The Norwegian airline Wideroe said its flights lost GPS signal while inbound to airports in northern Norway and Finland, and Finnish air traffic control warned of widespread GPS disruption. Finland is investigating, and Prime Minister Juha SIpila said, "[I]t's possible that Russia was behind it. We will investigate, and then we will respond. This is not a joke; it threatened the air security of ordinary people" (Deutsche Welle).
The Paris Call.
French President Emmanuel Macron issued the “Paris Call for Trust and Security in Cyberspace” at the UNESCO Internet Governance Forum this week (France Diplomatie). The Call amounts to a declaration of principles. About fifty countries signed on to it (but not China, Russia, or the United States), and it found favor with Big Tech, as both Microsoft and Google (and Kaspersky) figured prominently among private sector supporters (Fortune, Hypertext). The signatories commit to cooperation in eight areas: resilience, Internet availability and integrity, election security, IP theft prevention, cyberweapon counter-proliferation, more secure IT products and better digital hygiene, enforcement actions against cybercriminals and terrorists, and development of stronger international standards. The Paris Call could serve as a framework within which nations might achieve a modus vivendi, but obviously there’s a lot of work left to be done, and it's premature to regard any nation's reservations as a rejection of international norms in cyberspace.
RiskIQ and Flashpoint Tuesday issued a joint report on Magecart, the family of increasingly aggressive carding campaigns against e-commerce sites. The researchers identify six criminal groups as responsible for Magecart activity, and they trace the threat from its modest origins as the Cart32 online shopping cart backdoor (discovered in 2000) to the present threat responsible for large-scale attacks on large enterprises including Ticketmaster and British Airways. Magecart proper emerged in 2015. The criminals monetize their theft of paycard data either by selling it to other crooks in carding fora, or by enlisting mostly unwitting mules to buy goods and ship them to the gang.
Plum Island's black start.
Last week an exercise, "Liberty Eclipse," tested how utilities subjected to catastrophic cyberattack might restore electrical power to a dead grid, a "black start." DARPA's Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program ran the tests on Plum Island in Long Island Sound, an isolated location where a small but realistic power grid could be safely disrupted without risk of the test outage cascading into the larger power grid. The RADICS director said, "We had 18 substations, two utilities, two command centers, and we had two generation sources that we had to bring up a crank path and synchronize. It had a realism that you don’t really find in lab environments that made you rethink the approach" (WIRED). A black start represents a tough case, and must be managed carefully and gradually. Liberty Eclipse's week-long challenge offered opportunities for interesting improvisation (E&E News).
Concerns about grid cybersecurity aren't confined to the US. The UK has long been thinking about the problem (Insurance Journal).
Crime and punishment.
Phineas Phisher, whoever he may be, is off the hook in the Hacking Team caper of 2015 in which the Milan-based lawful intercept company was breached and doxed. Italian authorities have abandoned the investigation (BoingBoing). "I'm ready to go to jail if I have to, but I'd rather stay free and active," Phineas told Motherboard. Hacking Team's irregular reputation (its products were used by some uncontroversially repressive regimes) led many to regard Phineas Phisher as a kind of Dark Knight vigilante. There's some of that, maybe, but there's also a record of criminal behavior that goes beyond hacking a spyware vendor. Phineas Phisher paid for the attack infrastructure he used with stolen Bitcoin, the better to evade authorities.
Tyler Barriss has taken a guilty plea to charges stemming from his instigation of a lethal swatting in Wichita, Kansas, last December (Ars Technica). These were not the only charges he faced: the US Department of Justice said Mr. Barriss also admitted to almost fifty other charges, most of them hoax bomb threats. One of those bomb threats was directed against the Federal Communications Commission; Mr. Barriss disapproved of weakening net neutrality.
In a story that's far less funny than bald retelling suggests, a Swedish man has received six and a half years in prison for mailing a letter bomb to what he thought was the address of a Bitcoin exchange that wouldn't change his password (Naked Security). The London Met's bomb squad rendered the device safe, but it could have been lethal, and it sat in the mailroom unopened for five months. (Graham Cluley).
Courts and torts.
Microsoft may be looking at GDPR fines for its use of Office 365 telemetry, specifically that collected for the ProPlus subscription to the desktop suite and Office 365's web-based version. It's a matter of Redmond sharing the data internally among some thirty members of its team as opposed to external leaks or data releases, and the EU acknowledges that telemetry is simply a part of the contemporary software donné (Computing). But the complaint, which originated in the Netherlands, is concerned with the intrusive level of detail the telemetry picked up, including not only email subject lines, but also sentences run through spellcheck and grammar checking tools, as well as input to the translation tool. One can imagine legitimate product-improvement interests in all of these, but still, it's a lot.
Fancy and Cozy Bear say the DNC can’t sue them. Russia's Ministry of Justice say that, even if the Bears did hack the Democratic National Committee (and they're not saying they did, understand, it's more that they're speaking hypothetically on behalf of a friend) the DNC can't sue them. Such is the claim the Russian Ministry of Justice made in a ten-page “statement of immunity” delivered to the US State Department. If such alleged hacking happened at all (which, mind you, they’re not saying it did, but IF it did)…they say that such alleged hypothetical hacking would have been a “military action” and as such shielded by the Foreign Sovereign Immunities Act of 1976, the US law that affords foreign governments a degree of immunity for some actions they take inside the US. If, that is, they took any such alleged action at all. And besides, you too, Yankees: with everything you do, you really want people to take you to court, too? Tu quoque, buckaroo (ABC News).
Policies, procurements, and agency equities.
The US Congress passed legislation establishing the Department of Homeland Security's National Protection and Programs Directorate as a major agency, and cementing its place as the principal Federal civilian agency for cybersecurity (Department of Homeland Security). It's now on the President's desk for signature (Fifth Domain).
Nigeria's young Cyber Command, which was established in August from elements of the military, is concerned with counterterrorism, but the government hopes the new organization will also be effective in reducing the country's notoriously vigorous and deeply entrenched cybercriminal gangs (TechNative).
Fortunes of commerce.
The Five Eyes glower at Huawei and other Chinese manufacturers. A US panel recommended Congress restrict the Government's doing business with a range of Chinese vendors (SecurityWeek). And Germany is expressing growing concerns about the potential security risk of made-in-China devices (Computing).
Belgium's government has decided to continue using Kaspersky products (Telceompaper).
To deflect criticism that it's too close to the Russian organs, and in the face of what it calls a trend toward "technological nationalism" (ZDNet), Kaspersky is moving key elements of its operation to Switzerland (Sky News). Zurich is safely remote from any GRU colonels you might run into at the banya.
Unicorn fans will find TechCrunch's state-of-the-herd summary interesting. There are more companies with billion-dollar valuations, they're staying private longer, and while they're born mostly in China and the US, they're also appearing in India, the UK, Israel, Germany, Indonesia, and elsewhere.
DeepMind has passed its medical app over the firewall to its data-hungry and data-monetizing corporate parent Google, and that's given observers a case of the willies. A "gut-punch" to privacy and trust, is how TechCrunch breathlessly put it.
And hey, Bitcoin barons: your favorite alt-coin has hit a new fork-fear-driven low, dropping below $6000 (CNBC) but it's probably too soon to call a bottom in this particular market.
The tight labor market is about to get tighter around New York's Long Island City and Arlington, Virginia's, Crystal City. Amazon intends to establish its two new headquarters in those places (Wall Street Journal). The company is looking at fifty-thousand hires across the two locations (Quartz).
Mergers and acquisitions.
On Friday BlackBerry acquired Cylance for $1.4 billion in cash. Cylance, which applies machine learning and artificial intelligence to cybersecurity, will operate as a separate business unit. BlackBerry will integrate Cylance products with chip-to-edge BlackBerry Spark, a communications platform that creates trusted connections among endpoints in the "Enterprise-of-things" (PRNewswire).
NSO Group, the often controversial Israeli lawful intercept vendor (or spyware merchant, depending upon where one sits) is said to be preparing to acquire another Israeli firm, Fifth Dimension, which offers predictive policing and threat assessment solutions (CTECH).
A survey of M&A professionals conducted by Merrill suggests that concerns over GDPR are inhibiting many transactions that would have otherwise proceeded relatively unproblematically (Help Net Security).
Investments and exits.
Santa Clara-based cloud security firm Netskope has raised a tidy $167.8 million in Series F funding. Lightspeed Venture Partners, an existing investor, led the round. Other existing investors Accel, Geodesic Capital, ICONiQ Capital, Sapphire Ventures and Social Capital also took part, as did new investor Base Partners (Netskope). This latest funding round pushes Netskope into a billion-dollar valuation (Fortune).
Israeli breach and attack simulation shop XM Cyber, known for its red-teaming platform, has closed a $22 million Series A funding round. Participants included Macquarie Capital, Nasdaq Ventures, Our Innovation Fund, and UST Global (Venture Beat). One way of characterizing what XM Cyber does is that they're an APT simulator (SecurityWeek).
Homomorphic encryption shop Duality Technologies has secured a $4 million funding round led by Team8. Team8 itself is backed by a number of large corporations across several industries, Walmart, Airbus, Microsoft, Softbank, Nokia, Barclays, Munich Re, Cisco, and AT&T. among them (Fortune).
Boulder, Colorado, based Automox, which specializes in automated patching and configuration solutions, has raised $9.3 million in a Series A round led by TechOperators. Also participating were CRV, BlueNote Ventures, and other "previous insiders" (Globe Newswire).
Super-unicorn Palantir, the very capable data analytics company with a $20 billion valuation and an almost cult-like following in various US Government circles, does everything except not lose money. The company is thinking about how it might change that before its much-anticipated IPO (Wall Street Journal).
And security innovation.
DISA is interested in creative approaches to remote browser isolation; soliciting cloud-based approaches to the challenge of preventing attacks mounted through browsers (C4ISRNET).
A note to our readers: The Week that Was will take next Saturday off as we observe the long Thanksgiving weekend. We'll be back as usual on December 1st. (If shop you must between now and then, please stay safe online. Here's some advice to that effect from Webroot and RiskIQ.)
This CyberWire look back at the Week that Was discusses events affecting Australia, Belgium, Canada, China, Finland, France, Germany, Israel, New Zealand, NATO/OTAN, Nigeria, Norway, Pakistan, Russia, Sweden, United Kingdom, United States.
On the Podcast
Research Saturday is up. In this edition, "Doubling down on Cobalt Group activity," We hear from NETSCOUT Arbor, whose ASERT team has been tracking Cobalt Group campaigns that target financial institutions. Richard Hummel is manager of threat intelligence with ASERT, and he joins us to share his team's findings.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.