At a glance.
- A look at China’s disinformation investments.
- ShinyHunter pleads guilty.
- Officials from half the globe gather for a cyber conference.
- International partners issue secure-by-design guidance.
- AI, fact-checking, and the spread of misinformation.
- Cybersecurity pros volunteer to support local governments.
- Proposed law gives USPS identity verification powers.
- GAO: White House needs to improve information sharing.
- Reservations about the proposed EU Cyber Resilency Act.
- Hacktivism and international law.
A look at China’s disinformation investments.
A new report from the US State Department’s Global Engagement Center investigates some of the unique methods the Chinese government has been using to fund its efforts to spread disinformation. “Beijing has invested billions of dollars to construct an information ecosystem in which PRC propaganda and disinformation gain traction and become dominant,” the report, which was based on both open-source information and US government intelligence, states.
As the Wall Street Journal explains, there are, of course, the expected barrages of online bot and troll armies. Just last month Meta announced it had taken down thousands of accounts on Facebook and Instagram linked to the Chinese government, and there’s evidence the PRC’s social media efforts were also found on other platforms like YouTube, X, and Gab.
More surprisingly, the report found that China has also been leveraging legal actions against those critical of Chinese companies for funding, as well as engaging in content-sharing agreements with Latin American and African media. By focusing efforts on developing nations, it appears China’s goal is to coerce other governments into making decisions in alignment with the PRC’s objectives and sentiments.
While China’s efforts to control the information landscape are nothing new, these efforts have expanded dramatically since Chinese leader Xi Jinping came to power. That said, these campaigns have had a middling impact. The report states, “Although backed by unprecedented resources, the PRC’s propaganda and censorship have, to date, yielded mixed results. When targeting democratic countries, Beijing has encountered major setbacks, often due to pushback from local media and civil society.”
ShinyHunter pleads guilty.
Last week a twenty-two-year-old cybercriminal associated with the ShinyHunters cyber gang pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. French citizen Sebastien Raoult, who goes by the handle Sezyo Kaizen, was apprehended last year in Morocco under suspicion of working with the notorious threat group and was extradited to the US last January.
As the US Department of Justice explains, "Raoult and his co-conspirators hacked into protected computers of corporate entities for the theft of confidential information and customer records, including personally identifiable information and financial information.” Specifically, Raoult helped create websites spoofing login pages belonging to legitimate businesses, then sent phishing emails to company employees with links to those fake login sites.
Bleeping Computer reports that the hackers then used the login credentials to break into victims’ accounts and steal company data. They then sold data belonging to over sixty companies on the dark web and, in some cases, extorted the breached firms, demanding a ransom payment to not publicly leak the stolen information. Their activities yielded damages exceeding $6 million.
Acting U.S. Attorney Tessa M. Gorman stated, “People often think their actions from behind a screen won’t have consequences for them. Raoult and his co-conspirators used deceptive tactics to trick people into sharing personal login information and breached confidential data from numerous companies. The FBI Seattle Cyber Task Force and our office’s cyber unit work tirelessly to ensure victims of fraud and hacking like this get justice.”
Officials from half the globe gather for a cyber conference.
At the end of September the US Department of Homeland Security (DHS) hosted its first-ever Western Hemisphere Cyber Conference. Secretary of Homeland Security Alejandro N. Mayorkas welcomed representatives from twenty-one nations to discuss the cybersecurity challenges they face, and to identify areas that could benefit from further collaboration.
As the conference readout explains, topics covered included cybersecurity trainings and vulnerability scanning; workshops on topics like cyber hygiene threat mitigation and public-private partnerships; aviation and maritime port cybersecurity assessments; cybercrime and cyber law enforcement trainings; and the additional methods for expanded information sharing.
Prior to the meeting, US officials from the Cybersecurity and Infrastructure Security Agency (CISA), the United States Secret Service, and Immigration and Customs Enforcement’s Homeland Security Investigations provided trainings to partner nations including Argentina, the Bahamas, and Canada to educate them on Industrial Control Systems, network intrusion, cyber law enforcement, computer evidence recovery, and the criminal use of cryptocurrency. A fact sheet adds that the Transportation Security Agency assessed cybersecurity standards at partner airports in nations such as Brazil, Colombia, Mexico, Nicaragua, and Uruguay, and the US Coast Guard hosted a delegation from the Mexican Naval Secretariat to discuss plans for a long-term joint initiative for maritime cybersecurity.
International partners issue secure-by-design guidance.
In June an international government coalition released joint guidance on secure-by-design software manufacturing. The document, called “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and-Default,” is a collaborative effort from CISA, the US Federal Bureau of Investigation (FBI), the US National Security Agency, and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.
Kaitlin Jewell, CISA’s associate director of international affairs, explained, “CISA’s really committed to promoting a shift collectively on how we’ve been doing cybersecurity. Really what this means is shifting the burden of security away from the customer, shifting the burden for mitigating cyber risk to the most capable entities, the private and public sector, and particularly for CISA International, shifting how we promote this to international partners in our coordination efforts.” CISA’s strategic plan for 2024-2026 underscores this commitment to a security-by-design and -default approach, stating, “This is a shared journey and a shared challenge, and CISA, as America’s cyber defense agency, is privileged to serve a foundational role in the global cybersecurity community as we achieve measurable progress to our shared end state.”
As AFCEA’s Cyberedge notes, the joint guidance is just one of the many actions CISA International is taking. Other initiatives include the addition of an international annex, training opportunities, international exercises, and expanded information sharing. Jewell also highlighted the importance of working together to thwart the malicious activities of nation-state actors like China, and in May CISA collaborated with international cybersecurity authorities to create a joint cybersecurity advisory warning about China’s recent activities. Jewell explains, “Our private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and it is believed that the actor could apply the same techniques against these and other sectors worldwide.”
AI, fact-checking, and the spread of misinformation.
Artificial intelligence is now an integral part of the tech landscape, and while the benefits of AI tech are numerous, some experts are questioning whether the positives really outweigh the negatives. One possible positive is the potential for AI to be used as a means to suss out phishing scams. However, a new report from intelligent email security firm Egress shows that AI might not be as successful at detecting these scams as hoped.
According to the study, nearly three-quarters (71%) of AI detectors can’t tell if a phishing email was written by a chatbot, Egress reports. Jack Chapman, Egress’s VP of Threat Intelligence, stated, “Without a doubt chatbots or large language models (LLM) lower the barrier for entry to cybercrime, making it possible to create well-written phishing campaigns and generate malware that less capable coders could not produce alone.” He also noted that AI bots can be used to scrape the internet for public info on targets faster and more effectively than humans ever could, making it easier than ever for cybercriminals to develop targeted phishing operations.
Cryptopolitan notes that malicious actors can use publicly available chatbots like ChatGPT to generate phishing emails that are far more convincing and more well-written than traditional methods. Cybersecurity firm Darktrace says chatbots have led to an increase in such AI-based social engineering attacks, creating campaigns that are nearly indistinguishable in communication-style from manmade messages. Some LLMs can even mimic the voice patterns of specific individuals, which is not only beneficial in phishing scams, but also in disinformation campaigns.
The New York Times explains that fact-checkers at media outlets are fighting an uphill battle when it comes to curbing the spread of disinformation. The past few years have seen a surge in digital disinformation campaigns on issues like the pandemic and elections, yet efforts to debunk these falsehoods have waned. Fact-checking sites like Canada’s Baloney Meter and Austria’s Fakt Ist Fakt have shut down in recent years, and harassment and government repression have made debunkers less likely to speak up. Platforms like Facebook and TikTok instituted policies to fight the spread of fake news, particularly about COVID-19, but a recent paper in the journal Science Advances shows that while the amount of content has decreased, engagement with that content has not. “In other words, users engaged just as much with anti-vaccine content as they would have if content had not been deleted,” said professor David Broniatowski, an author of the paper. Claire Wardle, a co-director of the Information Futures Lab at Brown University, compared the current online information ecosystem to an awkward teen: “it’s gangly, and it’s got acne, and it’s moody.” However, she says, there are signs that puberty might be almost over, as misinformation surrounding the 2022 midterm elections was less prevalent than in previous years.
Cybersecurity pros volunteer to support local governments.
Local governments are prime targets for cybercriminals, and a lack of access to professional cybersecurity resources often leaves them vulnerable to attack. John Pescatore, director of emerging security trends at SANS Institute, explains,“Cybersecurity expertise is hard to find. People can make really good salaries working for commercial companies in cybersecurity, so there are city governments and small organizations that find it hard to attract or even afford full-time cybersecurity talent.”
Govtech reports that Ohio is one of several US states that has turned to its residents for assistance. The Ohio Cyber Reserve is a volunteer force of cyber professionals who offer their services to local governments. The National Governors Association (NGA) says that as of 2022, fifteen states had established similar programs or were planning to do so in the future. The Michigan Cyber Civilian Corps (MiC3) not only supports local government, but private organizations and schools. Volunteers in Wisconsin’s Cyber Response Team (CRT), which is administered by Wisconsin Emergency Management and facilitated through the Department of Military Affairs, share best practices and participate in two quarterly training sessions each year.
Pescatore states, “The idea of these citizen cyber brigades is to take advantage of the skilled people, those earning a living in the field, who are often very willing to donate their time.”
That said, experts note that there are complications to consider. Oklahoma Cyber Command Watch Officer and OK-ISAC Interim Director Amber Mangham warns that there could be liability issues if the volunteers mishandle a cyber incident or, worse, turn out to be hackers themselves. As well, volunteers could get burnt out or pulled away to focus on career demands, and establishing the necessary security protocols to make it safe for citizens to handle sensitive cyber incident data can be challenging.
Proposed law gives USPS identity verification powers.
Two senators have introduced a bipartisan bill that would permit the US Postal Service (USPS) to offer identity verification services to private companies. NextGov reports that last weekend Senators Bill Cassidy (Republican of Louisiana) and Ron Wyden (Democrat of Oregon) proposed the Post Office Services for Trustworthy Identity Act, or POST ID Act, which authorizes USPS to charge fees for providing identity proofing services.
The bill is intended to crack down on identity fraud, which has been on the rise as criminals have gained increased access to artificial intelligence and deepfake tech. Wyden stated, “Criminals using hacked personal information made it hard enough to verify a person’s identity — now AI deepfakes have added a whole new challenge for the most common verification methods. The best way to confirm who someone is, is in-person verification.”
USPS already offers identity proofing services for some government agency sites, like the General Services Administration’s Login.gov platform and the FBI’s Identity History Summary Check program and USAccess programs. A USPS spokesperson states, “These in-person identity services leverage the Postal Service’s vast retail footprint, which includes more than 31 thousand retail locations across the country, including in remote locations.”
The Better Identity Coalition has endorsed the bill, and the coalition’s coordinator Jeremy Grant states, “The Postal Service already provides in-person identity proofing services when Americans need to get a passport, and it’s only natural that the private sector also be able to leverage those services when companies need a way to verify someone’s identity in person.”
GAO: White House needs to improve information sharing.
A new report from the US Government Accountability Office (GAO) says the White House is falling short when it comes to keeping up with threat actors’ ever-evolving stable of hacking tools and tactics targeting critical infrastructure, and that this weakness is due in part to because of suboptimal information sharing performance measures and methods.
As MSSP Alert explains, the report states that the entities responsible for sector risk management are not taking full advantage of the information sharing methods at their disposal. After reviewing fourteen federal agencies and seven non-federal entities, the GAO found that ten agencies used fewer than half of the eleven sharing methods discussed. “The 14 agencies varied in the number of information sharing methods that they each used. Specifically, four agencies—the Department of Defense, the Department of Energy, CISA, and FBI—used more than half of the 11 sharing methods and 10 agencies used fewer than half of the 11 sharing methods,” the GAO notes.
All of the federal agencies reviewed issue cyber threat briefings and use threat information products, while only one agency was found to use threat indicator sharing platforms. CISA and the FBI used a centralized approach to share information with each of the sixteen infrastructure sectors defined as critical, while the other twelve agencies shared sector-specific threat information.
The GAO found that there are six main challenges standing in the way of better threat information sharing: limited relationships, limited funds and resources, limited sharing of classified or sensitive information, lack of timely sharing, limited voluntary sharing, and lack of actionable information. The report reads “Although 13 of the 14 federal agencies reported that they have taken initial actions to address these threat sharing challenges, all 14 agencies also acknowledged that these challenges have not been fully resolved for their sectors.
While the White House's National Cybersecurity Strategy implementation plan, which came out earlier this year, includes eight information sharing initiatives, the GAO’s report states that the plan has two main issues. First, the strategy neglects to identify outcome-oriented performance measures to assess the effectiveness of the info sharing initiatives. And second, although the plan calls for CISA to assess whether new or improved sharing methods are needed, it doesn’t call for an assessment of whether existing sharing methods should be retired in favor of centralized or sector-specific sharing approaches. The GAO concludes that until these issues are addressed, “the longstanding cyber threat sharing challenges will likely continue to persist.”
The EU's Cyber Resiliency Act.
The European Commission is considering a Cyber Resiliency Act. Its stated purpose is to "ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU: in addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use."
An international group of cybersecurity experts from industry and academia (and including some former senior government cyber officials) expressed strong reservations about the aspects of the bill that would require vulnerability disclosure. "While we appreciate the CRA’s aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them," the open letter from the Center for Cybersecurity Policy and Law says. They urge that the proposed law be altered to protect good-faith, white-hat researchers, and to prevent the premature disclosure of vulnerabilities that could be exploited before mitigations were available.
The CRA requires software developers to disclose unpatched vulnerabilities to government agencies within twenty-four hours of detection. “This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors,” the letter reads. The experts go on to explain that government access to vulnerability data could lead to unwarranted surveillance or exploitation by threat actors. The requirements could also stifle partnerships between industry and white hat hackers, as companies may discourage researchers from reporting newly discovered vulnerabilities for fear of government interference. The writers recommend that the disclosure rules be removed, or revised to allow a seventy-two hour reporting window. Other recommendations include barring agencies from sharing vulnerabilities disclosed through CRA for intelligence purposes, and excluding vulnerabilities discovered through good faith research from the CRA’s reporting requirements. Signatories include leaders at tech companies like Google, ESET, and Bitdefender, as well as think tanks and nonprofits including the Electronic Frontier Foundation, ICT4Peace Foundation, and the CyberPeace Institute.
George McGregor, VP at Approov Mobile Security, noted that EU rules inevitably have a significant effect on US companies. “These vulnerability requirements, if enforced, will be of critical importance to US companies which operate in the EU. The EU Cyber Resilience Act makes no distinction about where vulnerabilities are discovered so the obligation will be worldwide in scope," he wrote in emailed comments, and he thinks the open letter should affect the EU's deliberations. “This is clearly understood by the number of US based individuals who have signed the request to modify the CRA in order to remove the requirement to report unpatched vulnerabilities within 24 hours. The letter also requests that vulnerabilities uncovered during testing should not be included in the reporting requirement. With this level of industry reaction, the CRA requirements should certainly be relaxed.”
Guidelines for hacktivists engaged in hybrid war.
Two officials of the International Committee of the Red Cross (ICRC) has issued guidance for hacktivists, published as an essay in the European Journal of International Law. They constitute an extension of existing international norms of armed conflict to cyberspace, with a view to preserving norms that would protect noncombatants, not only against attacks against infrastructure, but also from online incitement to atrocity. Certain specific classes of targets are explicitly prohibited, notably medical and humanitarian facilities.
While hacktivism has so far seldom if ever risen above the level of a nuisance in Russia's war against Ukraine, that could change. An essay in Dark Reading lays out a case for taking the threat seriously, despite its negligible results to date. Groups like KillNet are taking a new interest in wiper malware, and imaginatively they increasingly see themselves as a virtual analogue of private military corporations like the Wagner Group.
For more on hacktivism and international humanitarian law, see CyberWire Pro.