At a glance.
- CISA calls for comment on cyberincident reporting rules.
- US Treasury hits Iran with sanctions for cyberattack on Albania.
CISA calls for comment on cyberincident reporting rules.
On Friday the US Cybersecurity and Infrastructure Security Agency (CISA) announced it would be issuing a Request for Information (RFI) calling for public input on the implementation of the cyberincident reporting requirements laid out in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Passed last March, CIRCIA requires feedback from critical infrastructure providers to determine exactly which entities and incidents will be covered by the law and how the reporting process should proceed. It was announced in the Federal Register that CISA will also hold eleven in-person “listening sessions” across the country in cities like Seattle, Salt Lake City, and Philadelphia. As CISA explains, the meetings are “intended to serve as an additional means for interested parties to provide input to CISA on the topics identified in the RFI prior to the publication of the [Notice of Proposed Rulemaking].” The Federal News Network notes that some critical infrastructure operators are worried that cyberincident reporting rules could distract targeted entities from their attack response. The RFI attempts to address this concern by asking how CISA can balance “the need for situational awareness with the ability of the covered entity to conduct cyber incident response and investigations’ when establishing deadlines and criteria for supplemental reports.” On Friday CISA Director Jen Easterly stated, “We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats.” The Record by Recorded Future notes that the Homeland Security Department has established a Cyber Incident Reporting Council, which will also help forge the proposed rule.
US Treasury hits Iran with sanctions for cyberattack on Albania.
The US Department of Treasury’s Office of Foreign Assets Control on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for the July cyberattack on the government of Albania, a fellow NATO member state. As the Wall Street Journal details, the sanctions block all property held by the ministry and its leader Esmail Khatib under US jurisdiction and bar US entities from conducting business with them. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson stated, “Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public. We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.” The MuddyWater threat group, responsible for a series of attacks worldwide dating back to 2017, was officially linked to MOIS by US Cyber Command. John Hultquist, Mandiant's Vice President of Intelligence Analysis, told BleepingComputer, "MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC." Upon discovery of Iran’s part in the attacks, the Record by Recorded Future adds, Albanian Prime Minister Edi Rama announced on Wednesday that Albabia was cutting all diplomatic ties with Iran and asked that all of Iran’s diplomatic and security staff leave Albania within twenty-four hours. Over the weekend Iran’s foreign ministry spokesman Nasser Kanani publicly condemned the US’s decision, stating, “America’s immediate support for the false accusation of the Albanian government... shows that the designer of this scenario is not the latter, but the American government.” Al Arabiya reports that Kanani also accused the US of supporting a “terrorist sect,” referring to the opposition People’s Mujahedeen of Iran, members of which are hosted by Albania.
We heard from John Hultquist, VP, Mandiant Intelligence, on the record the Iranian Ministry of Intelligence and Security has compiled:
“MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC. They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable PII. Furthermore, they have a history of targeting the MeK, the group at the center of the Albanian incident.
"These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain. Those operations were a template for the Albania attack. Mandiant has previously linked APT34 and APT39 to MOIS.”