At a glance.
- US Department of Justice seizes domains Nobelium used in USAID impersonation phishing campaign.
- International law, deterrence, and the range of response to cyberattacks.
US Justice Department seized domains employed in USAID phishing incident.
Reuters recaps a US Department of Justice announcement of the agency’s court-ordered seizure last Friday of two domains used for malware distribution and command-and-control communications in the USAID spearphishing operation. The move aimed to locate victims and interrupt the attack. Justice warned, however, that alternative backdoors may have been installed prior to the seizure.
National Security Division Assistant Attorney General John Demers commented, “Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation.”
Responding to nation-state cyberattacks.
Microsoft argues the USAID attack represented “espionage as usual” and requires minimal response from the Government, while the Holiday Bear breach, which indiscriminately co-opted a trusted update protocol and thus “corrupt[ed] a core process essential to the security of the digital ecosystem,” did not. The firm recommends defending through good hygiene and use of secure cloud technology, and deterring through sanction-backed attribution and norms.
To this end, the US Mission to the United Nations has a transcript of State Department cyber coordinator Michele Markoff’s remarks on the UN Group of Government Experts’ cyber norms report, also summarized in a State Department Twitter thread. The report produced guidance for victim states, affirmations of confidence and capacity building efforts, and long-anticipated explanations of “the eleven norms to which all UN member states have committed.” Markoff concluded, “[W]e are calling on all states to put this framework [for responsible behavior in cyberspace] into practice.”
Security Boulevard weighs the best methods for enforcing norms, from diplomatic expulsions and economic sanctions to warrants and extradition laws, ransom payment prohibitions, and proportional cyber or kinetic responses. Former NSA Director Keith Alexander supports a public-private threat-detection and information-sharing initiative with the ability to pre-empt attacks, according to Newsmax.
Alexander suggested the USAID campaign was a collection effort in preparation for the Kremlin summit, claiming the incident might be connected to the SolarWinds and Colonial Pipeline operations. Moscow is engaged in a crusade to destabilize and undermine Washington’s “influence and power,” former Homeland Security Adviser Tom Bossert observed.
In an interview with New Hampshire Public Radio, former NSA General Counsel Glenn Gerstell remarked on the “audacity and timing” of the USAID attack in the wake of the Biden Administration’s Russia sanctions and on the eve of a summit meant to repair relations. He predicted President Biden will condemn Russian cyberattacks at the meeting, and President Putin will deny them.
While it’s clear “our current scheme of deterrents simply isn’t working,” Gerstell said, “our cyber insecurity…is a chronic disease for which we don't have a single cure.” Regulating cryptocurrency would dampen ransomware attacks, but not espionage or chaos-themed assaults. Better international and public-private coordination offer another path forward.