How can industrial organizations stay ahead of ICS adversaries and proliferating threats?
Dragos identified the most dangerous threat to ICS, XENOTIME (the activity group behind TRISIS), has expanded its targeting beyond oil and gas--illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about how taking an intelligence-driven approach to ICS cybersecurity can help organizations stay ahead of the latest threats to ICS environments.
The Week that Was.
June 22, 2019.
By the CyberWire staff
Countervalue deterrence for cyberspace?
The New York Times says, in a largely anonymously sourced piece, that the US has staged implants in the Russian electrical grid to enable the US to impose costs on widely expected Russian misbehavior during the 2020 elections. This would be battlespace preparation as opposed to an attack (the article is clearer on this point than is its headline). The reported operation would appear to be a deterrent move intended to dissuade Russia from cyberattacks and influence operations against the US.
Precedent for active cyber operations may be seen in US response to Russian election influence operations in 2018. (See Lawfare's useful summary of presumed Cyber Command action against the troll-farming Internet Research Agency, which President Trump more-or-less confirmed in a Fox interview.) Others see similarities to the allegedly planned but apparently never executed NitroZeus operation designed for use against Iran.
The report of US activity in Russia's grid comes shortly after Dragos reported signs that Xenotime, the "activity group" responsible for the Trisis (also called "Triton") malware used against petrochemical facilities in the Middle East, had been seen probing the North American power grid. This activity appeared to be reconnaissance. FireEye, which discussed renewed Triton activity in April, has attributed the campaign to the Russian government, specifically to the Central Scientific Research Institute of Chemistry and Mechanics.
If the New York Times has its story right, the operation it reports would seem to be deterrence. For deterrence to work, the threatened retaliation must be credible, and the adversary must know about it. If that's the point of discussions on background with the New York Times, then mission accomplished. There's another similarity with classic Cold War nuclear deterrence: the strategy seems to represent a predominantly countervalue approach. Countervalue deterrence holds something at risk the adversary values, but which need have no direct military significance. Counterforce strategies hold military targets at risk. The deterrence of mutual assured destruction during the Cold War, which held cities at risk, was an example of countervalue strategy. An attack on electrical power distribution is likely to harm civilian targets at least as much as it does military ones, which raises issues of discrimination and proportionality.
Make smarter decisions and move faster to block adversaries.
Understand how you can make smarter decisions to move faster — both by blocking an adversary and disrupting them altogether — by using orchestration with intelligence in this free white paper: Smarter = Faster: Security Orchestration with Threat Intelligence. You’ll learn how to automatically alert, block, and quarantine based on relevant threat intel as well as how to increase the accuracy, confidence, and precision of your security operations.
Refined Kitten is up and at 'em.
Tensions between the US and Iran, already high over attacks on tankers in the Arabian Gulf and ongoing disputes over Iran's nuclear ambitions, have risen significantly in the wake of Iran's shootdown of a US Air Force RQ-4A Global Hawk reconnaissance and surveillance drone. The US says the drone was in international airspace over the Straits of Hormuz; Tehran says the RQ-4A was flying over southern Iran. Cyber battlespace preparation appears to be underway: WIRED says that Dragos and CrowdStrike have reported a surge in phishing emails deployed against a range of American targets. The actor is said to be APT33, also known as Magnallium or Refined Kitten. At least some of the phishing attempts were baited with what appeared to be an announcement of a job opening at the White House's Council of Economic Advisors. The malicious link opens an HTML application, which in turn starts a Visual Basic script on the targeted machine that installs the payload: the Powerton remote-access Trojan. It's unclear if any of the attempts have been successful, nor is it known whether their goal is reconnaissance or staging.
Information operations updates.
A European Commission report last week accused Russia's government of an extensive social media effort to influence EU election results. The report concludes that, by some indices, Russian disinformation campaigns have more than doubled since 2018, and that their goal remains the same: undermining the legitimacy of European democracies, including, of course, that of the European Union as a whole.
Twitter took down some five-thousand inauthentic accounts late last week. Most of them were being run out of Iran, although a small fraction were operated from Russia, or by people interested in Venezuela's crisis and the Catalan independence movement in Spain (Infosecurity Magazine).
Seeking to address and dampen abuse of its platform to foment and organize violence in Sri Lanka and Myanmar, Facebook is trying something other than content moderation: "introducing friction." TechCrunch says Facebook will limit the number of times users around the region can share a message. For now, that limit is five.
Hear stories of deception, influence & social engineering in the world of cybersecurity.
Every week on the CyberWire's Hacking Humans Podcasts we talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two). Try us out. You can even submit scams you received to be featured as our Catch of the Day. Sponsored by the experts at KnowBe4.
Pwning someone else's espionage infrastructure.
A Russian espionage operation, "Waterbug" (others call the actor "Turla") appears to have hijacked Iran's OilRig ("Crambus") infrastructure, Symantec reports. The activity falls into three distinct campaigns: one using Meterpreter, another a hitherto unremarked backdoor ("Neptun"), and the third a backdoor that executes PowerShell scripts without powershell[dot]exe. The group is also using a custom-made tool that packages "four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable" (Washington Times). Symantec doesn't attribute Waterbug or Crambus to any nation-states, but notes that press reports have done so.
Symantec thinks Turla opportunistically stole credentials from OilRig in January of 2018, and has since used OilRig's infrastructure to stage its own espionage operations in the Middle East and elsewhere. Espionage services take the same interest in one another's tools that any set of competitors might. At this point it's reasonable to assume that Moscow's takeover didn't involve Tehran's cooperation. Symantec found no evidence of Russo-Iranian collaboration, but that can't be ruled out a priori, especially since it appears that OilRig didn't react to the hijacking (CyberScoop).
Register for RSA Conference 2019 Asia Pacific & Japan today!
Join industry leaders and peers at the region’s leading cybersecurity event, 16 – 18 July at the Marina Bay Sands in Singapore. Learn the latest issues and solutions, stay on top of new regulations, demo cutting-edge products, expand your skills and grow your personal network. Register now.
Campaign targets Android devices in the Middle East.
Trend Micro outlines a cyberespionage campaign using malicious Android apps to deliver malware dubbed "GolfSpy" to targets in the Middle East. The malicious apps were hosted on an obscure website that the researchers observed being promoted on social media. More than 660 Android devices were infected, and "much of the information being stolen appears to be military-related." The researchers don't attribute the campaign to any country, but they note that the malware shares code similarities with Domestic Kitten, widely regarded as an Iranian cyberespionage operation (SecurityWeek).
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
CISA warned this week that the agency successfully exploited BlueKeep to run code remotely on a Windows 2000 machine, urging users to patch or upgrade vulnerable versions of Windows as soon as possible. Avast summarizes the threat, and says patch procrastination is a psychological phenomenon that needs to be overcome.
Crime and punishment.
A Dutch-led team of international prosecutors has charged three Russians and a Ukrainian with murder over their alleged roles in the downing of Malaysia Airlines Flight 17 (New York Times). The Dutch chief prosecutor said that "although they did not push the button themselves, we suspect them of close cooperation to get the (missile launcher) where it was, with the aim to shoot down an airplane." Much of the initial evidence regarding the shoot-down came from calls intercepted by Ukrainian forces (Vancouver Sun).
A UN investigation has concluded that Saudi Arabia was responsible for the murder of Jamal Khashoggi. The report, released Wednesday, called for an investigation into Saudi Crown Prince Mohammed bin Salman and other senior officials based on "credible evidence" of their direct involvement in the killing (Guardian).
Courts and torts.
Laura Martin, an analyst at Needham, says Facebook should be concerned that the Federal Trade Commission now has jurisdiction over any antitrust investigations into the company, since an FTC investigation is likely to be more wide-ranging than a DOJ inquiry would have been. FTC investigations are also open and highly publicized, compared to the DOJ's more private process. Google and Apple have less to worry about, since they fell under the DOJ's jurisdiction (Business Insider).
Policies, procurements, and agency equities.
We received an email this week from CISA, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, outlining recommendations on information and communication technology (that is, ICT) supply chain security. The recommendations are the work of the CISA-organized ICT Supply Chain Risk Management Task Force. The full set of recommendations are expected to be posted soon, but in outline, the task force proposes a reform of US Federal acquisition regulations to incentivize purchases from original equipment manufacturers and their authorized resellers only.
Why does this matter? It matters because going down the path the CISA panel recommends might help resolve certain tensions involving acquisition rules that strongly encourage agencies and contractors to make low cost an overriding factor in procurements.
To take one example we’ve heard about from Control Global Unfettered Blog, counterfeit Yokogawa transmitters, in general use with electrical power distribution process sensors, are widely available, and Yokogawa warns that they're even for sale on eBay. They're pretty convincing knock-offs, made in China, of Yokogawa's real McCoys. One might well worry about the likelihood that counterfeit goods are low-quality crapola, but of course there’s the additional concern that there could be deliberately induced vulnerabilities in them (Control Global). And, of course, their presence on eBay would suggest that anything you buy from the web may not be coming from an authorized vendor.
The Defense Appropriations Act encourages purchasing commercial-off-the-shelf (COTS) equipment and services, and urges that such be purchased online, as inexpensively and quickly as practicable (Lexology). The authors of the bill have their hearts in the right place--one wouldn't want to spend more than necessary on a commodity device--but in this case economy may be in tension with security and perhaps even safety. As is usually the case, if you have inconsistent preferences--in this case supply chain security and lowest cost--you can usually be induced to take a sucker bet.
Fortunes of commerce.
Retrieval-Masters Creditors Bureau Inc., corporate parent of the American Medical Collection Agency (AMCA), Monday filed for Chapter 11 bankruptcy protection in the US Bankruptcy Court for the Southern District of New York. AMCA was implicated in the data breach that touched major medical testing and diagnostic firms. AMCA will not attempt reorganization. The filing is intended to enable an "orderly liquidation."
Loss of business, immediate costs of response, and the costs of notification were more than AMCA could handle. The company's four biggest customers--LabCorp, Quest Diagnostics, Conduent and CareCentrix--either terminated or "substantially curtailed" their relationship with AMCA. The company has also already sustained heavy costs as it responds to the breach. AMCA has already spent $400,000 hiring outside consultants to find and fix the causes of the breach. The expense of notifying affected individuals was even greater: AMCA had to assume that everything on its servers had been compromised, and so had to notify some seven-million people. Notification alone cost $3.8 million. It's also had to cut jobs, dropping its headcount from the one-hundred-thirteen employees it had at the end of 2018 to just twenty-five as of Monday.
AMCA may face other legal and regulatory action at both the state and Federal levels that bankruptcy won't necessarily forestall. There are also civil lawsuits pending (HIPAA Journal).
The US Federal Government is said to have made strides toward reducing its backlog of clearance investigations (Federal News Network).
A Gartner survey suggests that, not only are companies overpaying to attract talent, but the talent is composed of a significant number of job-hoppers (Help Net Security).
Mergers and acquisitions.
Accenture has acquired Deja vu Security, a Seattle-based information security consultancy "that specializes in security design and testing of enterprise software platforms and internet of things (IoT) technologies." Deja vu is expected to form part of Accenture Security’s Cyber Defense offerings. Financial terms of the acquisition have not yet been disclosed (Accenture Newsroom).
GitHub, itself owned by Microsoft, has acquired code-review-tool shop Pull Panda. The start-up's three products, Pull Reminders, Pull Analytics, and Pull Assigner, are now available in the GitHub Marketplace. Terms of the acquisition haven't been disclosed (Computing).
United Technologies' CEO is confident the merger with Raytheon (to produce Raytheon Technologies) will go through, despite some opposition that's surfaced from activist investors (CNBC). The merger is receiving the usual scrutiny from the US Justice Department, which will consider carefully whatever advice it receives on the matter from the Department of Defense (Middletown Press).
Onapsis has completed its acquisition of Heidelberg-based Virtual Forge, strengthening its position in SAP security.
Investments and exits.
Palantir has been long expected to take itself public, but as of yet there's been little information about the company's plans, if any, for an IPO (Yahoo).
Email security shop IRONSCALES, with operations based in Tel Aviv and Atlanta, closes a $15 million Series B round led by existing investor K1 Investment Management. IRONSCALES offers what it characterizes as "the world's first automated phishing prevention, detection and response platform" (PRWeb).
TrueFort, perched on the Palisades of Weehawken, New Jersey, closed a $13.7 million Series A round led by Evolution Equity Partners, with participation by Lytical Ventures and Emerald Development Managers. TrueFort, which specializes in behavioral analytics technology designed to "detect and prevent malicious activity in realtime" intends to use the investment to expand technical, sales and marketing staff needed to pursue further growth (BusinessWire). Since February, TrueFort has partnered with CrowdStrike.
Cloud-security shop Valtix emerged from stealth this week and announced both a cloud-native security platform and $14 million in initial funding. Trinity Ventures, Vertex Ventures, and Wing Venture Capital participated in the investment round. The company's platform is designed to identify new applications running in the cloud and ensure that they have proper inline protection (SecurityWeek).
Australia's Telstra Ventures has taken a stake in Denver-based third-party risk-estimation company CyberGRX. The amount of the investment is believed to lie between $5 million and $10 million (CRN).
Anti-phishing startup Valimail has raised $45 million in Series C funding from Insight Partners. The company intends to use the funding for product development, and also to increase its partnerships and pursue global expansion (VentureBeat).
Researchers at Australia's Data61 say they've developed a "vaccination" for adversarial attacks against machine learning models. By introducing a small amount of distortion into the training data, simulating adversarial examples, the researchers found that "the resulting model is more robust and immune to adversarial attacks" (ZDNet).
Today's issue includes events affecting Australia, European Union, Iran, Israel, Myanmar, Netherlands, Russia, Saudi Arabia, Spain, Sri Lanka, Ukraine, United Arab Emirates, United States, and Venezuela.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.