At a glance.
- Updates on international enforcement actions against REvil.
- Israel reacts to US sanctions against NSO Group.
- Comment on the cyber implications of the US infrastructure bill.
Progress in international efforts to dismantle REvil ransomware group.
In a major victory for an international operation aimed at taking down the REvil (aka Sodinokibi) ransomware gang, the US Department of Justice (DOJ) has disclosed the indictment of Ukrainian national Yaroslav Vasinskyi, arrested last month in Poland for his involvement in the extremely damaging attack on software firm Kaseya this summer. As Kaseya’s senior vice president of corporate marketing, Dana Liedholm told CRN Australia, “We at Kaseya are grateful for the support and assistance provided by the FBI, as well as the swift action and response provided by the Department of Homeland Security, Department of Justice and all other involved United States Government entities.” The DOJ also confirmed the seizure of $6.1 million connected to alleged ransom payments made to Russian national Yevgeniy Polyanin, another REvil affiliate who currently remains at large. As Reuters reports, Deputy Attorney General Lisa Monaco highlighted Kaseya’s cooperation in the effort: "We are here today because in their darkest hour, Kaseya made the right choice and they decided to work with the FBI." President Joe Biden said in a response released by the White House, “When I met with President Putin in June, I made clear that the United States would take action to hold cybercriminals accountable. That’s what we have done today.”
As Europol explains, the charges are the latest results of operation GoldDust, an international law enforcement collaboration between seventeen countries, Europol, Eurojust and INTERPOL, as well as cybersecurity firms Bitdefender, KPN and McAfee. The operation has led to the arrests of a total of seven suspected REvil affiliates so far, responsible for attacks amounting to over €200 million in ransom demands. “This collaboration with law enforcement is a prime example of the public and private sector working together to significantly disrupt cyber criminal activities,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender. Computer Weekly reports that the firm is responsible for developing free decryption tools to fight attacks from REvil and suspected predecessor GandCrab, resulting in over 45,000 decryptions and saving hundreds of millions of euros. The Record by Recorded Future offers a helpful overview of the history of REvil.
Alex Iftimie, Co-chair of the Global Risk and Crisis Management group at Morrison & Foerster and former Justice Department National Security official wrote that success against cyber gangland depends upon changing the crooks' risk calculation: “Winning the war on ransomware means convincing would-be hackers that the risks of joining a ransomware group outweigh the benefits. Few actions do more to change that risk calculus than successful arrests. Kudos to former DOJ colleagues.”
Israel reacts to US sanctions against NSO Group.
After revelations that Pegasus surveillance software from Israel’s NSO Group was being abused to spy on countless journalists and activists, last week the White House imposed sanctions on the software company, placing NSO on its "Entity List" for malicious cyber threats. In response, Reuters reports, Israel's Foreign Minister Yair Lapid attempted to distance the Israeli government from NSO Group, stating that the company has no influence over Israeli policy. “I don't think there is another country in the world which has such strict rules according to cyber warfare and that is imposing those rules more than Israel and we will continue to do so,” Lapid stated.
However, on Monday evidence emerged that Pegasus had been used against Palestinian human rights activists, raising concerns that the Israeli government itself could be responsible. The Israeli prime minister’s office and the Defense Ministry denied the allegations, and NSO says they cannot confirm or deny the source of the surveillance. Despite this new development, the New York Times reports that two Israeli senior officials have asked the Biden administration to reverse the sanctions, stating that Pegasus is essential to its foreign policy, and vowing that Israel’s Defense Ministry would be more strict when it comes to overseeing software licensing. Haaretz asserts that the sanctions signify a shift toward cracking down on spyware, which has gone largely unregulated until now, and adds that the whole saga demonstrates just how shortsighted the Israeli government has been in its handling of defense exports.
Comment on the cyber implications of the US infrastructure bill.
The White House has issued a factsheet on the recently passed infrastructure bill. It has the expected tone of a victory lap, but it summarized a complicated piece of legislation that covers a range of sectors, risks, and opportunities. Many of them touch on cybersecurity.
We heard from a number of industry sources on the bill's implications for cybersecurity. Neil Jones, cybersecurity evangelist at Egnyte, welcomes the bill's funding of resilience:
“With the escalating volume of ransomware attacks and ballooning ransom payments, it's clear that the approaches most organizations use to address ransomware and targeted cyberattacks on critical infrastructure just aren't working. So, I’m excited to see that the $1 trillion infrastructure bill has allocated funds to maintain resilience of the USA's infrastructure against cyberthreats and malevolent nation-states. I'm particularly reassured to see both political parties supported the newly established office of National Cyber Director (NCD), including funding for the NDC to hire qualified personnel that will help him/her to achieve the group's important mission. Finally, I'm pleased to see that the Environmental Protection Agency (EPA) and CISA will take definitive action to identify public water systems that, should they become degraded or rendered inoperable due to cyberattacks, could significantly impact the health and safety of the general public. These changes will boost the country’s cybersecurity efforts and jump-start the government's response to cybersecurity intrusions. And, it will protect US citizens’ health and well-being -- an essential outcome you can’t put a dollar figure on during an ongoing pandemic.”
Tyler Farrar, CISO at Exabeam, took the occasion to discuss why critical infrastructure is a particularly attractive target for offensive cyberoperations:
“Critical national infrastructure (CNI) is a major target for cybercriminals due to the high, potentially life-threatening, impact successful attacks yield. So it’s extremely encouraging to see that the bipartisan infrastructure bill has dedicated investment dollars to protecting these systems.
"It’s crucial to understand and measure normal critical asset/system posture in order to protect critical infrastructure and avoid breaches. If there’s a digital route to systems in operational technology (OT), it’s at risk whether they are air-gapped or not. We have to be more rigorous in monitoring OT systems by securing all viable log data in terms of system setting, access control and maintenance. Even the smallest anomalies should be prioritized, investigated and managed accordingly. Simply relying on individual users for protection of our CNI systems will not scale.
"The only way to move forward for CNI protection is to work better with automation technologies to manage large volumes of data streams, analyze them for any anomalies and report risk and attacks in real time. This, along with constant user education on being diligent and the much-needed government support the infrastructure bill will provide, is critical to protecting CNI systems from ambitious cyberthreats.”
Glasswall CEO Danny Lopez approves of the bill in general, and sees the incorporation of measures to protect water systems from cyber sabotage as particularly noteworthy. He also notes some of the security measures the bill encourages:
“With the increase of cyberattacks we’ve seen throughout the last two years, the new infrastructure bill is a crucial step in improving the security of the nation’s infrastructure and modernizing systems to protect sensitive data and information.
"Here are a few important points. Following a rise in attacks on water systems in areas like Florida and the Bay Area, the bill requires the EPA and CISA to identify at-risk public water systems that could impact a large percentage of the population if deemed unsafe or inoperable due to cyberthreats. This is an extremely welcome initiative.s In addition, the bill incorporates the Cyber Response and Recovery Act of 2021, which allocated a whopping $100 million to improving government cybersecurity, and a significant investment in talent for the office of the new National Cyber Director.
"This bill, in addition to the administration's executive orders (EOs) on the subject, shows just how seriously federal cyber leaders take the threat we all face. Previous EOs have emphasised the importance of stronger multi-factor authentication and encryption. These are critical elements in an effective cybersecurity strategy, but an overarching zero trust approach will take businesses’, government agencies’ and critical infrastructure organisations’ protection to the next level.
"Zero trust security sees the world differently so no one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach, organisations run the risk of attackers having free reign across a network once they are inside. If more security teams turn to this approach, fewer attacks and payments will need to be reported.”