At a glance.
- Implications of ongoing Russian cyberespionage.
- Industry comment on pipeline cybersecurity.
- Privateering and deniability.
Latest Russian cyberespionage campaign draws concern and caution.
On the eve of the US-Russia summit, a threat actor media outlets are calling Cozy Bear ramped up a spearphishing campaign against NGOs, IGOs, and government organizations, according to CISA. NPR says the operation began in January, and patient zero was a Constant Contact account at USAID, the US Agency for International Development. The Biden Administration last week announced a desire to “restore predictability and stability" at the upcoming Moscow summit, and has not commented on attribution or its response to the attack. Reuters reports the talks will proceed as planned.
The campaign’s targeting of human rights organizations follows the Kremlin’s pattern of attempting to discredit detractors and activist groups as foreign “stooges,” according to Foreign Policy. USAID, for example, was banished in 2012 on the charge of interfering in domestic affairs. The National Interest characterizes the attack as a warning not “to weaponize unrest in Russia” as Moscow worries about US support for a “regime change.” (The operation could also represent a show of force or fit from anti-normalization factions, or business as usual without regard for current events, the piece says.)
Foreign Policy observes that the Administration’s April sanctions have not apparently deterred the Kremlin. Representative Schiff (Democrat, California 28th) noted, “Those sanctions gave the administration flexibility to tighten the economic screws further if necessary — it now appears necessary.” The Hill summarizes additional calls for stronger measures, and recalls President Biden’s statement, “If Russia continues to interfere with our democracy, I am prepared to take further actions to respond.”
Cyberspace Solarium Commission Executive Director Montgomery commented, “President Biden is a man of his word, [and] we need to take more aggressive measures, both sanctions and other elements of the defend forward strategy,” including “actions against the kind of critical infrastructure that conducts these kinds of operations.” Representative Langevin (Democrat, Rhode Island 2nd) said Moscow “must be held accountable,” and he hopes the Administration “will strongly consider all available options.” Representative Katko (Republican, New York 24th) concluded, “Russia will not stop attempting to undermine U.S. cyber space until they know the consequences will be dire.”
Spearphishing attacks, some industry experts caution, are common and not a sign of escalation. Wired describes the incident as “nothing unexpected” and “a regression to the mean,” with hackers targeting known weak links. “[I]t's an open secret in the incident response world,” a former Homeland Security consultant explained, “that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure.” A National Security Council spokesperson told the Hill the Council is “monitoring the situation closely,” but it appears to be “basic phishing,” and “we should all know better than to click links in unknown emails.”
Pipeline security policy: industry comments.
As the US Federal Government moves to tighten up cybersecurity regulation of pipelines in the aftermath of the Colonial ransomware incident, in particular moving from a voluntary to a mandatory compliance system, we heard from several industry experts on the likely effect such changes might be expected to have
Rosa Smothers, former CIA cyber threat analyst and technical intelligence officer, now an SVP with KnowBe4, wrote to remind us that pipelines are just one aspect of critical infrastructure:
"We need to do more and this is a start, but why single out pipeline delivery? These pipelines are one component of our overall critical infrastructure -- but what about power, water, oil, transportation and communications? Cybersecurity requirements should be levied throughout these critical industries to ensure the same level of readiness and prevent a far greater crisis than what occurred with the Colonial pipeline ransomware incident. There are fundamental cybersecurity tenets that often go ignored by industries responsible for our critical infrastructure. We must also consider who is best suited to handle this effort -- since its establishment post-9/11, TSA has been focused on airline security. CISA must be enabled to handle the critical infrastructure cybersecurity mission."
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, notes the convergence of safety and security:
"For critical infrastructure cyber security must be one of the highest priorities, perhaps second only to personnel safety. As we become ever more reliant on technology to deliver vital services and resources to our country, we must ensure that the added efficiency does not also carry with it increased risk. This is a tremendous challenge, however. The problem is that 'technology' isn’t just one thing, but a whole sphere of different specific disciplines, each of which can take years to master. Security is one such domain that requires deep experience and expertise to approach even adequate levels of protection. The same way you wouldn’t want a heart surgeon rooting around in your brain (or vice versa), effective security programs can’t be an “in addition to” responsibility of IT staff. To be sure security is a component of every individual in an organization, but it’s critical to have experts experienced with both offensive and defensive tactics responsible for operational tasks that can affect security."
According to Edgard Capdevielle, CEO of Nozomi Networks, the directive is a good start, but hopes that regulators won't unduly burden victims fo cyberattack:
“This new directive is a good start. Mandatory breach reporting and security gap assessments are important first steps to address security issues in the oil and gas sector. As seen with Colonial, the cost of downtime is prohibitive; many in this sector already engage in mature cybersecurity practices. However, the distributed nature of oil and gas operators – pipelines, rigs and refineries in remote locations -- makes securing their physical infrastructure difficult. We know from our customers that no two operators are alike in terms of the exact processes and systems they’re using. These factors make it harder to establish one set of cybersecurity requirements that will work effectively for all.
"The danger is that too much regulation will increase operating and consumer costs. While there's a place for security mandates, we need to be careful not to put all the burden on the victims. Tax incentives, and government-funded centers of excellence will help ensure that critical infrastructure operators can build and maintain effective cybersecurity programs over time. TSA does not have the resources to achieve all of this – a public/private collaboration will be essential to achieve real results.”
Jerome Becquart, COO of Axiad, thinks this marks the point at which awareness of and responsibility for cybersecurity moves beyond the IT team:
“Cybersecurity is no longer a priority for just the IT team and the CIO. In the oil and gas and other industries, physical infrastructure and operational assets are now highly connected to our global networks, making them vulnerable to the same type of attacks that previously only occurred on cloud-based applications and digital assets.
"As operations digitalized, many organizations failed to do one thing: prioritize security. This is compounded by the fact that organizations often lagged behind in adapting their processes and still operate with an analog mindset.
"It’s critical to reassess and take a more dynamic approach to security: identify what connects to our infrastructure, validate these are legitimate entities, and ensure the right level of access. We need to leverage the identity management best practices we are using in the IT space and extend them to the operational side of our businesses.”
Privateering and deniability.
One perceived advantage of what's coming to be called, by Cisco Talos and others, "privateering," is deniability.
James McQuiggan, security awareness advocate at KnowBe4, commented on the misdirection:
“One reason cyber attacks continue against organizations is because cyber criminals are very good at covering their tracks and making it difficult for attribution. An organization with a large number of technical employees that can forensically analyze the data and determine attack patterns can provide insight into the various cyber criminal groups committing these attacks.
"With the recent Darkside group going dark after what appears to be a loss of their electronic infrastructure, it seems they are working on regrouping their efforts. Only recently, in November 2020, Maze, the successful ransomware group that exposed dozens of organizations with stolen data, disbanded and ended their efforts of breaking into organizations.
"Individually, cyber criminals still need to live and make money, so they take their skills and expertise to another group and give themselves a new name and start all over.”
It can also be to a government's advantage for the operations of its espionage services to be mistaken for the activity of ordinary criminal gangs. The Iranian wiper (described last week by SentinelOne) posed as ransomware in a campaign against Israeli targets. It's recently acquired genuine ransomware capabilities. WIRED has an overview of the campaign, and CPO Magazine notes that one motivation for the imposture is false-flagging: Tehran's operators appear to have wished to be taken for a Russian ransomware gang.