At a glance.
- China's MSS named as responsible for Microsoft Exchange Server exploitation.
- The Pegasus Project reports on NSO Group's intercept tools.
- MI5 issues its annual threat assessment.
- US Commerce Department adds six to its Entities List.
- Skepticism about treating Big Tech as a public utility.
- An OT perspective on the US ransomware task force.
Naming the Ministry of State Security in the Microsoft Exchange Server hacking campaign.
This morning the US, with the concurrence of the other Five Eyes, NATO, Japan, and the European Union, formally attributed an attack on Microsoft Exchange Server to China's Ministry of State Security. The attribution has long been expected. On May 2nd Microsoft itself had attributed the incident to Hafnium, which it identified as a "state-sponsored threat actor" that "operates from China." NSA, CISA, and the FBI have issued a joint cybersecurity advisory this morning on behalf of the US Government that outlines the basis for the attribution, the tactics, techniques, and procedures the Ministry of State Security employed, and a range of suggested mitigations. Their joint advisory contains an observation that should motivate organizations to patch as quickly as possible: "One significant tactic detailed in the advisory includes the exploitation of public vulnerabilities within days of their public disclosure, often in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products."
So far the official attribution to China involves no additional sanctions or other imposition of costs directed specifically at Beijing’s actions in this case. The Washington Post reports, with some officials suggesting that it marks a setting of expectations of how nation-states are expected to behave in cyberspace.
Mike Hamilton, Founder/CISO of Critical Insight, wasn't surprised by the announcement, which had been in the offing for a good week and a half:
"This is an expected announcement. It was reported about 10 days ago that this would be coming. The reason it took so long is that the process of attribution involves reverse-engineering malware binaries and looking for coding ‘fingerprints’ that are similar to others that have been attributed with high confidence. It’s notable that a coalition of countries is making this claim, and not just the United States."
Jorge Orchilles, CTO of SCYTHE, also noted the difficulty of attribution: "In cybersecurity, attribution is difficult but important. Publicly coordinating and publishing the data that led to the attribution is better than not acknowledging the malicious actors at all. However, these are just the first steps. Continued pressure is required to ensure a positive outcome from all this hard work."
Critical Insight's Hamilton added:
"I note that we’re not taking the same tone as we are with Russia (yet). We’re using the tactic of identifying the principal actors and putting them on a naughty list, although we’re reserving the right to further implicate the government later – which is the key message here. The Chinese have just been made aware that we can identify individual actors that have worked on cyber tools and campaigns through a combination of intelligence and the aforementioned technical analysis… so they know we know, and will hopefully see that further action will publicly implicate the regime and I’m sure they don’t want sanctions to be leveled at them."
We note the significant "yet" in his comment. The attribution was a joint effort, and retaliatory action in concert with allies is a more complicated, protracted process than unilateral action.
The Pegasus Project and the difficulty of keeping lawful intercept lawful.
Forbidden Stories' Pegasus Project yesterday published, with the cooperation of some sixteen other news organizations worldwide, the results of a long-running, collaborative investigation of NSO Group. From a leaked list of over fifty-thousand phone numbers "NSO clients selected for surveillance," investigators determined that one-hundred-eighty journalists in at least five countries were targeted. "Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance," the Pegasus Project’s report said.
Jorge Orchilles, CTO of SCYTHE also commented on this story, noting the challenges of controlling the possibility of abuse: "Most technology can be used for good and for bad. In this case, it was used for what most ethical people will consider "bad". Monitoring solutions and products to ensure they are not used for unethical purposes continues to be a challenge for software companies. There is no simple answer to this problem."
MI5’s Annual Threat Update.
MI5 Director General Ken McCallum’s annual threat update last week touched on ransomware, critical infrastructure, corporate espionage, influence operations, online speech, and encryption. SecurityWeek highlights the similarities to warnings out of Washington. While the US emphasizes China’s threat, however, McCallum appeared to give equal weight to Russia and Iran. He proposed a number of remedies, not including “hid[ing] under our beds,” to the country’s cyber afflictions:
- “new expertise, new sources, [and] new methods” for tackling “toxic ideology” and “extremist echo chambers” peopled by teenagers and potential terrorists
- ongoing detection and exposure of dangerous disinformation
- “public awareness and resilience,” critical consumption of information, and “a rigorous, independent, plural media”
- collaboration with global partners, GCHQ, MI6, police, and Defense
- legal reforms regarding foreign espionage
- “front door” access, “on an exceptional warranted basis,” to criminals’ devices
- designs that give weight to both safety and privacy
- a “whole-of-system response” that unites Government, academia, industry, and broader society
These threats are “worth standing up to,” McCallum said, since “they can corrode the fabric of our society, and limit the life chances of the rising generation.” SecurityWeek describes the address as “almost a call” to Washington to preserve the countries’ “special relationship.”
US Commerce Department adds Russian organizations to the Entities List.
BankInfoSecurity summarizes the Commerce Department’s Friday Entities List action. The Bureau of Industry and Security (BIS) added to the list four Russian cyber and infotech companies, and two state-operated tech organizations, that were sanctioned in April for their ties to the SVR, GRU, and FSB. The entities now face additional restrictions on business transactions with US firms. BIS’ bulletin stresses Moscow’s “destabilizing behavior” spanning election interference, cyberattacks, and persecution of journalists, and the array of Executive Order 14024-authorized responses.
An argument that Big Tech can’t usefully be thought of as a utility.
Wired sees a number of logical errors in arguments for treating Big Tech like public utilities or common carriers. First, the two distinct categories are often conflated or inappropriately nested. Second, public utilities contract with the Government to deliver their core services; Big Tech does not. Third, common carriers are neutral, whereas Big Tech business models hinge on discrimination, or ranking. Finally, other (anti-trust) mechanisms are available for preventing companies from giving themselves special treatment.
The US Federal ransomware task force, OT perspectives.
Ransomware has classically affected IT as opposed to OT networks, but OT security experts see a growing threat to their own area. We've received some reactions from industry that welcome the US ransomware task force. Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon, likens ransomware gangs to terrorist organizations:
"I think the government has this one correct (and has had it correct for a long time, just in a different context). For as long as I can remember, the policy has been 'The United States does not negotiate with terrorists' as well as 'United States doesn’t pay ransoms for Americans kidnapped by terrorists.' I don’t think we should take any lesser stance on data being held hostage by cyber terrorists. Terrorists are terrorists, the assets being targeted (physical or digital) shouldn’t impact the policies and responses."
Eddie Habibi, CEO and Founder of PAS Global (now part of Hexagon), also likes signs of a more assertive response to ransomware, including retaliation:
"The Biden administration’s attention to cybersecurity sends a clear signal to bad actors worldwide that the United States considers cyberattacks, especially those on critical infrastructure, as a matter of national security. The $10M reward for information leading to the identification of perpetrators provides a bounty on the heads of attackers in the highly competitive cyber crime industry. Now, “white hackers” of all sorts have a monetary incentive to hunt down bad actors. This helps democratize the field of threat hunting, expanding the field beyond established cybersecurity firms.
"The administration recognizes that no amount of cyber defense can completely secure the IT and operational technology (OT) networks. We are pleased to see a bullish position on establishing offense as part of the United States' cyber resiliency and protection strategy. Cyber offense, very similar to that in tactical warfare, acts as an effective deterrent to individuals and nation states engaged in rogue activities. The bipartisan nature of the White House’s ransomware taskforce sends a clear message to other nations that we are united as a nation to fight cyber terrorism.
"We hope that the administration does not stop here. Cyber crime is an international plague, often crossing international boundaries. A global initiative to fight and curb cyber crimes requires collaboration of nations in ways not too dissimilar from nuclear proliferation treaties."
NTT Security’s Bruce Snell, thinks the recent wave of ransomware as an acceleration of existing criminal trends:
"This kind of attack isn’t new. We’ve seen REvil in action before. But it does show a progression in the ransomware-as-a-service (RaaS) economy making it clear to the industry, if it wasn’t already, that cybercrime is now a veritable marketable business. This latest attack highlights for us the interconnected nature of everything, and the importance of having actionable threat intelligence and a solid incident response plan to fight these zero-day vulnerability attacks.
"Just like we saw with the SolarWinds, Colonial Pipeline and JBS ransomware attacks, in a chain of incidents that led to President Biden’s Executive Order, this is yet another reminder that we need to strengthen the supply chain and that organizations need to expect more from each other in terms of cybersecurity hygiene."