At a glance.
- Bulgaria joins US-led Clean Networks program.
- Italian cabinet blocks sale of Huawei 5G equipment to Fastweb.
- Inauthenticity in Myanmar-based networks.
- Energetic Bear's threat to US elections.
- US Treasury Department imposes sanctions for Triton/Trisis malware attacks.
Bulgaria joins stand against Beijing telecoms tech.
Last Friday Sofia joined Washington in signing a statement on next-generation 5G infrastructure security, as Reuters reports, with the aim of safeguarding digital communications and data privacy. While no vendors were named in the statement, US Undersecretary for Economic Growth Keith Krach let slip that the goal is excluding Huawei and ZTE. Bulgaria is now part of the US State Department’s Clean Network program, which stands against “aggressive intrusions by malign actors, such as the Chinese Communist Party” using “a multi-year, all-of-government, enduring strategy, built on a coalition of trusted partners.” A total of twenty-seven NATO countries have signed onto the program.
Italy nixes Huawei-Fastweb contract.
Rome has apparently blocked Huawei from providing 5G gear to Italian telecoms company Fastweb, according to Reuters, the first such block Huawei has encountered in Italy. Last Thursday the nation’s cabinet “used its special vetting powers” to veto the transaction. While Italy has yet to declare an outright ban on Huawei, government decisions could effect an unstated prohibition. In July Telecom Italia excluded Huawei from a solicitation for bids. Companies that do purchase Huawei paraphernalia are restricting remote tech support and implementing “get-out clauses” that protect them should the state impose expensive conditions. Earlier this month the CyberWire noted Italy’s hint that “preparations to take a stronger stance [against China] were underway” following a friendly visit from US Secretary of State Mike Pompeo.
Last week Facebook announced that it had removed six-hundred-fifty-five Myanmar-based inauthentic pages and twelve inauthentic groups with apparent sponsorship and ad revenue profit motives, Graphika reports. Constellations of pages directed traffic to the same websites, creating “amplification” networks. Several of the websites were linked to the same Google Analytics or AdSense account, and some of the accounts seemed to be connected. The pages had large follower counts—up to 5 million—and voluminous interactions. Most posts concerned celebrity doings, but a few touched on politics. These mentioned the Myanmar and Arakan Army and propagated anti-Muslim sentiment. In 2018 and 2019 alleged Myanmar military influence operations were caught mixing propaganda with clickbait, but mercantile outfits have also been known to mingle gossip and political news.
Energetic Bear's election threat.
The New York Times warns that the Russian hacking group snuffling around electoral infrastructure has in the past succeeded at infiltrating airports, water plants, power grids, and nuclear facilities. Russian Federal Security Service (FSB) affiliated Energetic Bear has not previously been observed interfering with political activities, but this fall they’ve pilfered data from at minimum two election servers. Former US Department of Homeland Security cybersecurity undersecretary Suzanne Spaulding said Moscow may have called in “the A Team” to work quietly following US sanctions. A stealth attack also leaves open the possibility of pulling back should doing so prove favorable.
Energetic Bear works by spreading a wide snare and hunting for meaty morsels, and US counterstrikes haven’t deterred them in the past. Experts predict the brute might target signature verification databases or swing districts’ power supply.
Treasury sanctions Russian research institution over TRISIS.
The US Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for its alleged role in developing the TRISIS/Triton malware, which was designed to disable specific industrial safety systems. The malware was deployed against a Saudi petrochemical plant in 2017, but was thwarted by the plant's additional safety measures. Had the malware worked as intended, it could have caused physical destruction and even loss of life. The Treasury Department also emphasizes that, "In 2019, the attackers behind the Triton malware were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities."
Dragos's Rob Lee tweeted that "This style of sanctioning is significant and honestly entirely appropriate against those involved in the first ever cyber attack to intentionally try to kill people in civilian infrastructure." He subsequently emailed comments to the effect that, "An OFAC sanction by the U.S. Treasury is significant and compelling; not only will it impact this research institution in Russia, but anyone working with them will have their ability to be successful on the international stage severely hampered. The most important aspect of this development, however, is the attribution to Russia for the TRISIS attack by the USG officially and the explicit call out of industrial control systems in the sanction. This is a norm setting moment and the first time an ICS cyber attack has ever been sanctioned. This is entirely appropriate as this cyber attack was the first ever targeted explicitly towards human life. We are fortunate no one died and I'm glad to see governments take a strong stance condemning such attacks."
We also heard from Nozomi Networks. Suzanne Spaulding, Nozomi Networks Advisor and former Undersecretary of Homeland Security, thinks the sanctions worth pursuing. "The sanctions are an important step in signaling how seriously we take any malicious cyber activity that poses a threat to human life or safety," she wrote. She added that it's particularly important the organization sanctioned in this case was a research institution:
"And sanctions against a scientific research institute may impact the individuals who developed these tools more than sanctions against the Russian government might. Scientists thrive on their reputation. Accusing them of threatening peoples' lives, and impacting their ability to collaborate internationally, may actually impose significant cost.
“More broadly, when combined with other recent USG activity calling out Russian cyber activity, including recent indictments and alerts, Russia should be on notice that they cannot act with impunity--or at least not without attribution. The timing may be intended to warn against hacking into election infrastructure, or it may be designed to look tough on Russia for the American electorate, or both.”
Andrea Carcano, Nozomi Networks co-founder sent comments on Nozomi's analysis of Triton. “When Nozomi Networks analyzed the Triton malware in 2018, our findings led us to believe that while Triton failed, the attacker(s) could have just as easily succeeded in injecting the final payload. This realization, combined with the knowledge that a growing number of nation-state adversaries and other hackers have critical infrastructure in their sights, calls for vigorous defense of our national critical infrastructure." He added that any adequate response to attacks of this severity and scope has to involve the cooperation of many:
“No single entity can solve this global issue; rather, end users, third-party suppliers, integrators, standards bodies, industry groups and government agencies must work together to help the global manufacturing industry withstand cyberattacks and protect the world’s most critical operations and the people and communities we all serve. The perfect storm of increasing cyber threats, digital transformation and IT/OT convergence means organizations must move swiftly to shore up their defenses with solid cybersecurity programs that deliver deep visibility and effective security that spans OT and IoT networks and devices.”