At a glance.
- More on the US GRU indictment.
- UK alleges Russia planned to hack the Tokyo Olympics.
- Further evolution of the California Consumer Privacy Act.
More on the Voodoo Bear indictment.
Yesterday the CyberWire Pro Policy reported that the US Justice Department unsealed an indictment of six GRU officers belonging to the variously named Sandworm or Voodoo Bear hacking group. The National Counterintelligence and Security Center (NCSC) tweeted images of the accused, who range in age from twenty-seven to thirty-five, according to a Justice press release. The charges are “conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.” As New York Times reporter Nicole Perlroth observed, the group is suspected of working to sabotage Ukraine, Georgia, France, the Pyeongchang Winter Olympics, and the investigation into Russia’s use of the chemical weapon Novichok. Assistant Attorney General for National Security John Demers called the attacks “the most disruptive and destructive” ever perpetrated by an organization, with WIRED noting their deployment of NotPetya alone cost $10 billion. Justice sent thanks to Kyiv, Seoul, Tbilisi, and “numerous victims” for their help with the investigation.
Johns Hopkins Professor of Strategic Studies Thomas Rid commented that since the report’s “incredible” intel is apparently expendable, the Five Eyes “must have stunning visibility into Russian military intelligence operations.” Rid highlighted revelations that the group used a Pyongyang false flag along with exploits invented by the US National Security Agency, and indicated the exposure of one defendant’s spearfishing side hustle could raise Voodoo Bear colleagues’ hackles. Although Moscow is downplaying the indictment as a poorly-sourced smear (as the Washington Post reports) and the accused of course remain at large (they're in Russia, after all, where the American writ doesn't run), the charges serve as both a show of force and, effectively, a public service announcement. Wired explains that the move also restricts hackers’ access to Western markets and their ability to travel to countries that have extradition treaties with the US.
Two years ago, two Justice press releases on unsealed indictments named fifteen other GRU officers involved in influence campaigns, some of which targeted the 2016 US election. While a Justice Department representative told WIRED that yesterday’s announcement was not connected to the upcoming vote, FireEye's Director of Intelligence John Hultquist believes otherwise, saying the message is plain: "We know who you are and what you’ve done."
Plans to hack the Tokyo Olympics? London says the Russians had them.
The Guardian reports that the UK's National Cyber Security Centre (NCSC) has disclosed that, working with its Five Eyes partner in the US NSA, NCSC discovered and tracked Russian plans to interfere with the (postponed) 2020 Tokyo Olympics. Foreign secretary, Dominic Raab, said, “The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms. The UK will continue to work with our allies to call out and counter future malicious cyber-attacks.”
The US Justice Department didn't include any operations against the Tokyo Olympics in the indictment it unsealed yesterday, and declined in its press conference to comment on the matter. But it seems of a piece with the Olympic Destroyer attacks mentioned in the Pittsburgh indictment, which Justice sneered (with some justice) “combined the emotional maturity of a petulant child with the resources of a nation state," adding, “As this case shows, no country has weaponized its cyber-capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and fits of spite.”
We heard from industry experts on the NCSC disclosure. James McQuiggan of KnowBe4 thinks it best to regard the alert as an early warning. "Any large public event or a global organization is a key target for nation-states and cybercriminal groups to disrupt, damage, or destroy through cyber attacks," he said. "With the GRU attributed to these types of attacks, it's an early warning of things to expect when the Olympics happen next year. These large organizations and public event groups need to ensure that cybersecurity is one of their top concerns regarding outside influence and attack. Organizations should have a defense in depth security program which can protect, monitor, and act quickly in response to any cyber attack. Technology is instrumental when matched with human involvement. Having a robust security awareness training program to ensure that employees can make smarter security decisions will help to protect an organization from various attacks."
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, sees the alert from London as a reminder of the importance of considering national services, not just crooks, among the threats your organization faces: "This highlights the importance of including nation state actors into your threat matrix when conducting risk assessments. Especially important is instituting a culture of security including ensuring that key members of the organization are educated about security threats on both personal and professional fronts."
California Consumer Privacy Act, take three.
Cooley reports that the US state of California’s Attorney General issued another round of California Consumer Privacy Act (CCPA) revisions last week and is accepting comments until the 28th of this month. Two previous sets of edits were substantially adopted, and more may be forthcoming – though all amendments could prove irrelevant should the California Privacy Rights Act (CPRA) pass next month. This round of suggestions clarifies what notices must be provided to children, how businesses can verify consumers’ surrogates, what opt-out processes should look like, and what notices must be distributed about data collected offline.