2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
The week that was.
No confirmation yet of the Chinese supply-chain seeding campaign.
At this point one would have thought there would have been some confirmation of Bloomberg's report that China had successfully insinuated "spy chips" into the supply chain of a hardware manufacturer. But such confirmation has failed to appear. Other news organizations have looked for it, but they've come up empty. Denials continue to come in from companies the report said were affected, notably Supermicro, which this week replied to an inquiry from US Senators Blumenthal and Rubio by telling them that the compromise never occurred (Bloomberg).
Apple CEO Tim Cook told BuzzFeed that Bloomberg needed to "do the right thing" and retract its account. Bloomberg hasn't done so, instead telling BuzzFeed, "Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies' full statements, as well as a statement from China's Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources."
The US Director of National Intelligence said that while the prospect of such attacks is worrisome, the Intelligence Community has no evidence this one actually happened. DNI Dan Coats said, "We’ve seen no evidence of that, but we’re not taking anything for granted. We haven’t seen anything, but we’re always watching" (CyberScoop). The Intelligence Community's message seems to be, as NSA's Rob Joyce put it earlier this month, that looking for Chinese spy chips on server motherboards may be "chasing shadows."
Former intelligence officials, now retired to the private sector, seconded the views of the incumbents. Michael Rogers, until this spring Director, NSA, told Forbes, mildly, "I’m not sure I agree with everything I read." His Israeli counterparts, Nadav Zafrir, who formerly led Israel's Unit 8200, told the same publication that he wasn't "personally aware" of anything like the attack Bloomberg described.
Relations between the US and China have been tense, over both trade and cyber operations. There seems to be little reason for US officials to have an interest in minimizing a Chinese cyberattack. The emerging consensus seems to be that this particular supply chain attack warning was a false alarm.
Controlled unclassified information requirements affect federal contractors.
Facebook believes its breach was the work of scammers, not spies.
Facebook has concluded that the breach it recently sustained was the work of criminal spammers, and not a nation-state's intelligence service. The spammers appear to have been interested in using the data stolen from thirty-million individuals to increase their revenue from bogus advertising (Wall Street Journal).
And of course the data lost in the Facebook breach can certainly be used to craft more convincing social engineering attacks (Data Centre News).
Where do cyber security professionals go to find jobs and career advice?
Looks like (but probably isn't) the return of Comment Crew.
Researchers at McAfee Advanced Threat Research report finding a hitherto unremarked "data reconnaissance implant" that's targeting Korean speakers. They're calling it "Oceansalt," an homage to the earlier Seasalt implant that the old Chinese Comment Crew used back in 2010. Indeed, Oceansalt reuses code from Seasalt. The very prolific and busy Comment Crew, also known as APT1, appears to have gone dormant since its exposure in 2013. McAfee thinks, however, that this isn't Comment Crew. There's code similarity, but on other grounds the researchers conclude that this is a different actor. McAfee's report posits three possibilities, and they're commendably reticent about jumping to an attribution: It might be a code-sharing arrangement between what's left of Comment Crew and some other threat actor. Or a different group might have obtained the Seasalt source code from someone who'd worked in the old Comment Crew. Or it could be a false flag operation, with some unknown threat actor seeking to create an appearance of Chinese and North Korean collusion.
Oceansalt operations are thought to be closely targeted, with implants distributed via two compromised sites based in South Korea, and to be prospecting targets in Canada and the US as well as in the Republic of Korea.The campaign infected its targets through spearphishing, the phishbait in most cases being malicious Excel files. It proceeded in five waves. The first wave targeted South Korean universities, the second South Korean public infrastructure, and the third wave the Inter-Korean Cooperation Fund. The fourth wave hit targets outside North Korea, mostly in the US and Canada. And a fifth wave prospected American and South Korean organizations (McAfee Advanced Threat Research).
Get your copy of the definitive guide to threat intelligence.
Three shades of GreyEnergy.
ESET warns that the threat actor behind BlackEnergy—involved in past attacks against sections of Ukraine's power grid—is back. It's infected three "energy and transport companies" in Poland and Ukraine. ESET notes that the group has a new malware suite, "GreyEnergy," and that it appears positioned for further campaigns. Although ESET doesn't attribute the activity to a nation-state, naming BlackEnergy has been associated, by Britain's GCHQ and others, with Russia's GRU (Reuters).
Through the LookingGlass™: Top Trends to Keep Your Organization Cyber Aware
Google acknowledges censored search engine product.
"Dragonfly" is real, it's designed for the Chinese market, and, counterintuitively, Google says it's a force for good (Washington Post). The Intercept has an account of Google internal meetings about the censored search engine, which the publication says would include “human rights,” “student protest,” and “Nobel Prize” in its blacklist.
TLS 1.0 and 1.1 will sunset in 2020, at least as far as major browsers are concerned (SecurityWeek).
Crime and punishment.
Former US FBI Special Agent Terry J. Albury received four years in a Federal prison for leaking classified information to a reporter (US Department of Justice). Mr. Albury had seen himself as a whistleblower concerned to expose racial and religious bias as well as misconduct in counterterror operations. The Government maintained that there were any number of avenues in which he might have communicated his concerns. The four-year sentence is unusually long for a leaking case (Washington Post). Observers (and Attorney General Sessions, too) see it as a sign that the Government intends to get tougher on leaks and leakers (Washington Examiner). That may be so: a Treasury official, FinCEN senior adviser Natalie Edwards, has also been arrested for allegedly leaking to the press (New York Law Journal).
A former Equifax developer, Sudhakar Reddy Bonthu, has been sentenced to eight months confinement for insider trading. He's also been fined $50,000 and ordered to forfeit $75,979 (Infosecurity Magazine)
Colton Grubbs, creator of the LuminosityLink remote access Trojan, will spend thirty months in a US Federal prison. Mr. Grubbs initially maintained that his software was a legitimate sys-admin tool and not intended for malicious use, but he subsequently admitted that he not only knew some of his customers were criminals, but that he also highlighted the tool's criminal potential in his marketing. Six-thousand people around the world were willing to pay him $40 a copy for LuminosityLink (Ars Technica).
A former high school teacher in Virginia has been convicted of identity theft and unauthorized access to computer systems for hacking celebrities' accounts to steal private photos. Christopher Brannan took a guilty plea to charges stemming from 2013 and 2014. He also apparently tried to get pictures of colleagues and students. Mr. Brannan's methods were unsophisticated: he usually just guessed answers to security questions (Graham Cluley).
Courts and torts.
Anthem has settled its HIPPA violation case with the US Department of Health and Human Services, Office for Civil Rights, for $16 million. The insurer, which in March 2015 disclosed the largest healthcare data breach in US history: almost seventy-nine-million persons were affected (Help Net Security). The Resolution Agreement also includes a comprehensive corrective action plan. Earlier this year Anthem settled civil suits for $115 million (Health IT Security).
San Jose-based semiconductor startup CNEX Labs is suing Huawei, alleging theft of intellectual property. It's a countersuit filed after Huawei filed its own similar complaint against CNEX last year (Wall Street Journal).
Policies, procurements, and agency equities.
Privacy regulation in the US seems likely to test federalism. States want to make their own rules, but Big Tech would prefer a single Federal regulatory regime that would preempt state measures (Threatpost).
The US Food and Drug Administration (FDA), which regulates among other things medical devices, is set to turn to ethical hacking to improve device security (Washington Post). The FDA will also be working closely with the Department of Homeland Security on the cybersecurity of medical devices (FDA).
Fortunes of commerce.
Huawei and ZTE remain controversial in Western countries. Members of the US Senate (specifically Senator Warner, Democrat of Virginia, and Senator Rubio, Republican of Florida) are urging their Canadian counterparts to keep Huawei in particular out of their telecom networks (Reuters).
Google's widely perceived unwillingness to do US Government work (while exhibiting a willingness to do Chinese government work) attracted a thinly shot by the US Director of National Intelligence this week (Fifth Domain).
The 2018 (ISC)2 Cybersecurity Workforce Study was released Wednesday. It reports a shortfall of nearly three-million cybersecurity workers worldwide. The greatest shortage is in the Asia-Pacific region, followed by North America, but it's a worldwide problem. Respondents to the survey reported three "challenges" in their career progression: "unclear career paths for cybersecurity roles (34%)," "lack of organizational knowledge of cybersecurity skills (32%)," and "the cost of education to prepare for a cybersecurity career (28%)." The Advanced Cyber Security Center commented that they see in the results a strong interest, on the part of cyber professionals, in learning. They also see a role for non-traditional approaches to building technical skills.
Thus the good guys, but "even the bad guys have a talent problem," says FireEye's Sandra Joyce, which of course they do (Economic Times). It's essentially the same problem the good guys have, and that's worth remembering, because even the mob has its HR issues. Finding good help these days? Forget about it.
Among the good guys, apparently many security pros are interested in jumping ship, which piles retention problems on top of recruiting challenges (Dark Reading).
Acumin found that cybersecurity salaries in the UK are up 6% over last year, about double the national rate of increase. The raises (as we call "rises" over here) were not equally distributed. Workers with education and compliance roles enjoyed the biggest increases, coming in at 20%. Information security officers had the lowest, averaging an increase of just 1.5%. Security analysts saw a 13% rise in compensation; application security specialists' and product directors' wages increased by 2% (Infosecurity Magazine).
The US Department of Defense sees some analogies between its efforts to recruit tech talent and the ways college coaches recruit high school athletes (Defense One).
Mergers and acquisitions.
Nucleus Cyber has acquired Security Sheriff from Cyxtera with the intention of applying AI solutions to the security of cloud environments, and particular to Microsoft SharePoint and Office 365 (PRWeb).
Utimaco announced its acquisition of Atalla from Micro Focus. Atalla and Utimaco believe they occupy complementary positions in the hardware security module market, and that their technology will prove synergistic (Utimaco). The acquisition has cleared US regulatory hurdles (SecurityWeek).
Exertis will rebrand Stampede, the US-based company it acquired, rolling its services into the Exertis Pro AV brand everywhere except in North America, where it wishes to retain the brand equity associated with the name "Stampede" (CRN).
Singapore's government holding company Temasek announced its acquisition of cybersecurity consultancy Sygnia, headquartered in Tel Aviv and fostered by the Israeli startup foundry Team8 (CTech). Terms weren't immediately disclosed, but sources close to the deal told TechCrunch that Temasek paid $250 million for the startup.
Georgia-based ControlScan has purchased Dunbar Cybersecurity. Adding the Maryland-based shop to its portfolio will significantly increase ControlScan's managed security services offerings (Globe Newswire).
Investments and exits.
London-based Garrison, which offers safe browsing as a service, has raised $30 million in a funding round led by Dawn Capital with participation by IP Group, BGF, and NM Capital. Garrison intends to use the money to expand sales and marketing, add engineering capability, and further enhance its offering (Computer Business Review).
WhiteSource has raised $35 million in a Series C round led by Susquehanna Growth Equity, with participation by existing investors 83North and M12 (formerly Microsoft Ventures). WhiteSource, which specializes in open-source security management, will use the funding to expand sales and customer support (SecurityWeek).
Saruman, call Orthanc for your friends-and-family shares: Palantir is considering an initial public offering (Times). The company is bigger than a unicorn, maybe as big as the Watcher in the Water, and its IPO will be a whopper. Estimates suggest a valuation of $41 billion (Wall Street Journal).
And security innovation.
A new campus is under construction in Baltimore, Maryland, that will seek to provide a focal point for the region's cybersecurity companies. "Cyber Town USA" is under construction along the harbor in the city's Port Covington district. There are more than eight-hundred cyber companies in the region, but most of them are focused closely on government work (Washington Post). Cybersecurity incubator DataTribe seeks to change that, working to help companies move from Federal contracting to commercial markets. DataTribe announced that it will move from its current location in Fulton, Maryland, to Port Covington when the new center opens in 2020 (PRWeb). (Disclosure: The CyberWire is a DataTribe portfolio company.) DataTribe will be joined by Silicon Valley venture firm Allegis Cyber and Maryland-based investment bank Evergreen Advisors. (Baltimore Business Journal).
Crypto Quantique is demonstrating what it characterizes as “the world’s first quantum driven secure chip (QDSC).” The London-based start-up, which has been supported by Entrepreneur First, offers the chip as a solution to IoT security problems (TechCrunch). UK-based ARM and Boston-based Cybereason are also collaborating on a security chip for the Internet-of-things. The chip is intended for connected devices and sensors (Wall Street Journal).
Some advice in TechCrunch on what it takes for a startup to be successful: productive talent, efficient marketing and distribution, network effects, and offering an end-to-end solution.
This CyberWire look back at the Week that Was discusses events affecting Australia, Canada, China, Poland, Russia, Ukraine, United Kingdom, United States.
On the Podcast
Research Saturday is up. Security firm Lastline recently took a close look at threats to the Office 365 cloud environment, taking advantage of the insights they gain protecting their clients. Andy Norton is director of threat intelligence at Lastline, and he joins us to describe their findings.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.