At a glance.
- DPRK using Maui ransomware against healthcare targets.
- Shanghai's big data exposure.
- Quantum computing and security standards.
- Cyber incidents, risk, and credit. Notes on the cyber phases of a hybrid war.
- Cybercrime persists in wartime.
DPRK using Maui ransomware against healthcare targets.
The US Cybersecurity and Infrastructure agency (CISA), the FBI, and the US Department of the Treasury have issued a joint alert, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector," warning of a North Korean ransomware campaign that's been in progress since at least May of 2021. "North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods." How the threat actor obtained initial access is unclear, but the warning recommends that organizations pay particular attention to the dangers of phishing, and that they train their personnel to recognize it, which suggests that social engineering has played a significant role in the Maui campaign.
Shanghai's big data exposure.
Several questions remain about the big data exposure incident that appears to have affected information held by the Shanghai National Police. Some of the data that have been posted online as a teaser by the person or persons (nom-de-hack "ChinaDan") trying to sell them have been confirmed to be genuine, but it's unclear whether all of them are. If they are the real goods, then the incident affects about a billion people, making it the biggest data exposure in history. The New York Times, like the Wall Street Journal, has been able to determine that some of the posted information is authentic. China has made no official statement on the matter, but the New York Times reports, "On Chinese social media platforms, like Weibo and the communication app WeChat, posts, articles and hashtags about the data leak have been removed. On Weibo, accounts of users who posted or shared related information have been suspended, and others who talked about it have said online that they had been asked to visit the police station for a chat." And all of this suggests some official sensitivity about the matter.
Quantum computing and security standards.
The US National Institute of Standards and Technology (NIST), at the end of a six-year competitive search, has announced the four winners in its program to develop "quantum-resistant encryption algorithms." This represents a milestone enroute to NIST's publication of standards for post-quantum cryptography, expected in 2024. The algorithms are:
"For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation.
"For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium, FALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections."
Taking note of NIST's announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) outlines some steps organizations can take now, as they prepare for developments over the next two years:
"Although NIST will not publish the new post-quantum cryptographic standard for use by commercial products until 2024, CISA and NIST strongly recommend organizations start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which includes:
- "Inventorying your organization’s systems for applications that use public-key cryptography.
- "Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.
- "Creating a plan for transitioning your organization’s systems to the new cryptographic standard that includes:
- "Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition;
- "Decommissioning old technology that will become unsupported upon publication of the new standard; and
- "Ensuring validation and testing of products that incorporate the new standard.
- "Creating acquisition policies regarding post-quantum cryptography. This process should include:
- "Setting new service levels for the transition.
- "Surveying vendors to determine possible integration into your organization’s roadmap and to identify needed foundational technologies.
- "Alerting your organization’s IT departments and vendors about the upcoming transition.
- "Educating your organization’s workforce about the upcoming transition and providing any applicable training."
Cyber incidents, risk, and credit.
Moody’s Investors Service released a report detailing the credit implications of Conti’s early April ransomware attack on the government of Costa Rica. The attack impacted the government’s two largest revenue streams–income taxes and customs duties, and impacted the international trade and healthcare sectors most heavily. The report notes that this attack provides insights on the government’s strength, saying that while the attacks weren’t prevented, they were handled with effective solutions. Moody’s anticipates the fiscal deficit to remain close to 4.8% GDP, and expects to see GDP growth of 4% in 2022.
In another report, Moody’s discusses the recent cyberattack on Clarion Housing Group in the United Kingdom, and its implications for housing associations as a whole. On June 23, Clarion reported a cyberattack on their IT systems that impacted IT operations, such as scheduling repairs and maintenance. This attack comes on the heels of a number of other cyberattacks on housing associations in the past few years, and highlights the need for cyber risk mitigation. According to a recent cyber survey conducted by Moody’s, cyber risk remains small in the housing sector, but is growing strongly, with 25% spending growth from 2018 to 2020.
Notes on the cyber phases of a hybrid war.
Mobile provider Kyivstar has continued to provide service during the war, as it struggles to work through disruption. That disruption has been, in Bloomberg's account, largely kinetic and, sadly, sometimes lethal. Physical destruction of infrastructure has been more of a problem than cyberattacks, effective versions of which haven't appeared since the opening days of the war saw interference with ViaSat ground stations. The relatively small role Russian offensive cyber operations have played in the war so far has not prevented others from drawing lessons from Russia's conduct of its hybrid war. China is said, by CyberScoop, to be watching the action in cyberspace especially closely, with a view to sorting out its options in the event of war to conquer Taiwan. The consensus lessons are "Strike quickly, pick targets that would cripple the enemy early on and rely on attack methods that never have been observed in public."
And cybercrime persists in wartime.
Criminals continue to shape their social engineering to events, especially tragic events. ZDNet reports that Ukrainian police have arrested nine alleged members of gang the authorities say are using the promise of European aid checks to beleaguered Ukrainians as phishbait in a tiresome (and unusually heartless, even by low criminal standards) version of familiar fraud. Victims are directed to a bogus website that presents them with an equally bogus application for assistance. "Through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union," Ukrainian police say. The victims are invited to provide their banking information so they can receive aid, and then the criminals simply rifle whatever they've been given access to. If convicted, the nine alleged thieves face up to fifteen years in prison.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.