At a glance.
- India investigates Pegasus use.
- FCC revokes China Telecom Americas' licence to operate in the US.
- CISA announces election security lead.
- Reports: North Korea prepares software supply chain attacks.
- Child protection in social media.
- Fuel distribution cyber sabotage in Iran.
India launches special probe investigating Pegasus.
As nations across the globe continue to react to the revelations of the Pegasus Project, India’s highest court has ordered a special investigation into the allegations, the Washington Post reports. The court will appoint a three-person independent committee to determine why the phone numbers of Indian journalists, activists, and political officials were found on a list of potential surveillance targets from clients of the Israeli spyware firm NSO Group. The discovery has raised suspicions that the Indian government was spying on its people, and has even led to protest rallies among citizens. Headed by a former Supreme Court judge, the panel will have eight weeks to "probe the falsity and discover [the] truth," according to Chief Justice of India NV Ramana. As the BBC explains, the probe comes on the heels of a Supreme Court hearing that began in August, during which the government claimed the accusations were mere conjecture.
FCC discontinues license of China Telecom Americas.
In a unanimous decision, the US Federal Communications Commission (FCC) has voted to revoke the operating license of China Telecom Americas, the Record by Recorded Future reports. The action is the latest in a series of US actions against Chinese communications companies in response to concerns that they could be granting access to hackers with ties to the Chinese government seeking to hack into US systems. China Telecom, which has been operating in the US for nearly twenty years, is China’s largest telecom company and offers wireless services for Chinese Americans and Chinese travelers to the US. FCC Commissioner Brendan Carr explained in a tweet, “The FCC’s own review found that China Telecom Americas poses significant national security concerns due to its control and ownership by the Chinese government, including its susceptibility to complying with communist China’s intelligence and cyber security laws that are contrary to the interest of the United States.”
CISA selects Senior Election Security Lead.
The US Cybersecurity and Infrastructure Security Agency (CISA) announced that it has appointed Washington Secretary of State Kim Wyman as the agency’s new Senior Election Security Lead. The position will lead the Biden administration’s efforts to ensure free and fair elections protected from digital interference. Wyman is the state of Washington’s second woman to serve as Secretary of State and has extensive experience overseeing state and local elections. CISA Director Jen Easterly stated that Wyman’s “deep knowledge of state and county government will strengthen our partnerships with state and local officials and enable us to expand our outreach to smaller election jurisdictions and private sector partners.”
DPRK preparing software supply chain campaigns?
The Lazarus Group seems to have set its sights on supply chain attacks. Researchers at Kaspersky disclose their detection of new activity by the North Korean threat actor, one of the world’s most prolific advanced persistent threat groups. Active since 2009, Lazarus has been responsible for ransomware operations as well as cyber-espionage campaigns targeting the defense sector and cryptocurrency exchanges. The group’s focus remains cyber-espionage, but this time they’re concentrating on developing supply chain attack capabilities using a multi-platform targeted malware framework. Kaspersky senior security researcher Ariel Jungheit explains, “These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks.” Supply chain attacks like the SolarWinds incident have been making headlines this year due to their domino effect across multiple organizations and industries.
Erich Kron, security awareness advocate at KnowBe4, points out that Lazarus has evolved to keep up with changes in cyberspace:
“The Lazarus Group continues to demonstrate its ability to adapt and to continue to be a serious threat in the world of cybercrime. These supply chain attacks take advantage of the trust we have in vendors, especially security vendors, and the tools that we install in our environments. These tools often have a high level of permissions, which makes the deployment of malicious payloads a trivial task. Unfortunately, the very tools that are compromised, may even be the same tools tasked to stop or discover an intrusion.
"Because the Lazarus Group commonly uses spear-phishing as an initial attack vector, to defend against these attacks, organizations should ensure they are teaching users how to spot and report these social engineering attacks. In addition, using simulated phishing attacks to help users practice and improve their skills at spotting these real attacks, can provide a significant reduction in risk.”
Saryu Nayyar, CEO of Gurucul, observes that “Government sponsored attacks continue to be a major issue for other governments and enterprises. Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early detection and remediation continue to be the best approach to dealing with these types of attacks.”
Doug Britton, CEO of Haystack Solutions point out that:
“Supply chains are a high impact target and this discovery of a nation-state actor developing RAT malware is a story that will be heard again and again. Reconfiguring malware and innovating around social engineering attacks will remain a persistent threat to multinationals and governments alike.
"The best defense for this remains a strong cyber security team. Organizations need to ensure they invest in a pipeline of cyber and infosec professionals in addition to standard industry protections. We have the technology to find this talent even in a tight labor market. We need to get these folks into the fight in order to keep these threats at bay.”
Demi Ben-Ari, CTO and Co-Founder of Panorays, notes that cyberthreats are increasingly diffused across third-parties and suppliers:
"Once again, we see that cybercriminals are exploiting vulnerabilities in the supply chain in order to wreak havoc on large enterprises. In this case, the Lazarus hacking group targeted a South Korean think tank through a Latvian IT vendor, reflecting the same strategy that was used in the SolarWinds and Accellion breaches.
"These types of cyberattacks drive home the fact that an organization is only as secure as the third parties to which it is connected. This is why it’s so essential for every organization to have a robust and automated third-party security risk management process in place that assesses and continuously monitors the cyber posture of all suppliers, vendors and business partners."
Social media firms seek to influence child protection legislation.
As executives from YouTube, TikTok, and Snap testify before the US Senate Commerce Committee on child privacy protection (Bloomberg has context) Paul Bischoff, privacy advocate at Comparitech, comments on the regulatory pressures social media are likely to face in the near future:
"Politicians are hurling a lot of criticism at tech companies with few solutions. I think tech companies are stuck between a rock and hard place: the demands of consumers and regulators and the realities of the networks they've created. Here are a few examples:
"- Age verification is extremely difficult to do without handing over detailed personal information, which would create privacy risks.
"- The volume of content uploaded to these social networks is too great to manually pre-screen all of it. Automated systems are necessary but won't catch everything. So the companies have to rely on users flagging inappropriate content, and kids, who frequently watch without their parents, often don't have the judgment to take action when prudent.
"A lot of the complaints echo the concerns of parents from previous generations, but in a new medium. Just like social media, video games, TV, movies, and books have been scapegoats for parents in the past. We need to separate what we perceive as bad influences from direct harms and address the latter first.
"Cyberbullying is a real problem because it can follow kids home even after they leave school, but it's extremely difficult for a tech company to monitor interpersonal relationships and take action. Some social networks have removed private messaging for kids for this reason.
"I don't have much sympathy for YouTube Kids. Unlike traditional YouTube, Google doesn't have to worry about violating anyone's First Amendment rights when it removes content---kids' content should be curated more carefully and deliberately, and free speech is not a primary concern. The content targeted at kids is often vapid and sometimes even harmful. If Google can't even police YouTube Kids, it has no chance of ever getting YouTube as a whole under control. YouTube is a huge source of misinformation and radicalization online.
Cyberattack reported against Iranian state-subsidized fuel stations.
According to the Washington Post and others, subsidized fuel sales at Iranian gas stations were disrupted yesterday in what the government in Tehran describes as a cyberattack. Investigation is in progress, and the incident isn't yet attributed to any particular threat actor. Observers compare the attack, if such it proves to be, with the disruption of rail service messaging earlier this summer, generally thought to have been the work of Iranian dissident hacktivists. The incident comes shortly before the second anniversary of 2019's street protests against fuel price increases.
The possibility of false flags and front organizations will make attribution in this case difficult. Tim Erlin, VP of Strategy at Tripwire, cautioned that it's early to draw many conclusions:
“It’s still very early in the incident timeline, and information on the root cause and details of this incident are going to remain scarce for a while. We should expect that Iran will only share the information they deem advantageous, and that there will be a lot of conjecture about what actually happened here. Ultimately, it’s hard to take much away from this incident today other than a growing body of evidence that infrastructure is the next big cyberattack surface. Organisations that manage critical infrastructure should ensure their systems are hardened, as this helps to safeguard the integrity of digital assets and protect against threats and vulnerabilities.”