Cyber Command and Revolutionary Guard spar in cyberspace.
US Cyber Command is said to have conducted offensive operations against Iranian targets as a reprisal for Tehran's attacks on commercial shipping in the Gulf of Oman, and for the shootdown of a US Global Hawk unmanned drone. Yahoo, which broke the story, said the attacks were directed against an Iranian intelligence unit responsible for supporting attacks against shipping by tracking tanker traffic.
The Washington Post added details about the alleged US cyberattack, reporting that US Cyber Command had disabled Iranian missile command and control systems in the region, which would be a direct riposte to the Global Hawk shootdown. US Central Command and the US Navy have referred inquiries to Cyber Command, which declines to comment for reasons of operational security. Fox News says Iran has promised a "firm" response to any American "aggression."
Last Saturday, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that Iran has increased the tempo of its cyberattacks against US targets, and that destructive wiper attacks could be expected. These typically gain access to target networks through familiar criminal methods, particularly phishing, password spraying, and credential stuffing. CISA's advice for defense is here.
Washington and Tehran barked over the week, but (beyond new US sanctions directed against Iranian leaders) did not bite, at least not publicly (Wall Street Journal). President Trump warned Iran not to overestimate American patience or restraint. For its part Iran pointed out that it could knock down an American drone any time it decided to do so, and that "the enemy knows it" (Washington Post).
Yandex hacked?
Russian search-engine giant Yandex says it detected and remediated a Regin spyware infestation late in 2018. Regin has been publicly associated (by Edward Snowden) with the Five Eyes (that is, the intelligence services of Australia, Canada, New Zealand, the United Kingdom, and the United States) (Reuters).
Secondary Infektion.
The Atlantic Council’s Digital Forensic Research Laboratory (DFRL) reports on an extensive Russian information operation. They’re calling the campaign “Secondary Infektion” after the late Soviet-era “Operation Infektion,” which pushed disinformation that AIDS was a US biowar project.
Secondary Infektion began by placing stories in obscurer corners of the Internet’s hinterlands. It then amplified these through Facebook accounts and, ultimately, in the state media outlet RT. The DFRL doesn’t have access to Facebook’s backend data, but they attribute Secondary Infektion to Russian actors on circumstantial “contextual and linguistic” grounds. The contextual evidence is close conformity with Moscow’s line in regional disputes, especially those with Ukraine. The linguistic evidence is the familiar sort of fumbled article use, uncertainty about the genitive case, and poor idiomatic control. The linguistic clues are in some ways surprising: Russia has demonstrated that it has English linguists as good as any native speaker.
Some of the content is, however, obviously faked, and would arouse suspicion even apart from language and context. One of the stories RT carried with a straight face in its German-language edition late last year showed an obviously bogus tweet attributed to US Senator Marco Rubio, Republican of Florida, warning that British intelligence intended to hack American elections (CNN). RT noted in a follow-up that Senator Rubio denied making the posts, but didn’t retract its story.
The campaign’s goal appears to be the now customary one of inducing mistrust and division along various cultural fault lines. It also illustrates that today's information operations represent an evolution from their pre-Internet ancestors, not a revolutionary departure.
Stone cold Stone Panda.
Cybereason has released a report on a long-running, extensive (but highly focused) campaign to compromise mobile networks, "Operation Soft Cell." It appears to be the work of Chinese intelligence services, specifically APT10 (also known as Stone Panda). It's "either APT10 or someone operating just like them," as the Register puts it, to express the attribution with proper caution.
The Soft Cellers have spent the last two years and a few months lurking in some ten mobile networks worldwide. They were quiet, patient, and focused, interested for the most part, it seems, in watching the movement and other activity of what the researchers characterize as twenty to thirty “high-value targets,” persons of interest to espionage services, like politicians and diplomats. There’s no particular evidence that Operation Soft Cell pulled content from their targets’ messages, but the metadata alone were valuable, since such collection can yield the victims’ places of work, travel, and abode, as well as whom they talked to, how long they talked, and so on.
The operation avoided detection by going quiet for extended periods of time. Soft Cell's operators also installed their own VPNs in the networks they infested, which made their job easier. Those installations seem in general to have escaped notice.
Cloud Hopper, a look back at another APT10 effort.
Reuters reported Wednesday that six of the managed service providers compromised by the Chinese APT "Cloud Hopper" were Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology, in addition to IBM and HPE. Cloud Hopper, believed to be the work of APT10 ("Stone Panda"), is associated with the Chinese Ministry of State Security, and focuses on industrial espionage. A US indictment last December outlined the group's activities and stated that more than forty-five technology companies (unnamed in the indictment) had been compromised since 2006. After gaining access to the eight MSPs via spearphishing, the hackers compromised more than a dozen of the service providers' clients, including Sabre, Huntington Ingalls Industries, and Ericsson. Huntington Ingalls denies it was affected (Fifth Domain).
Refined Kitten refines its game.
Researchers at Recorded Future say Iran's APT33 (also known as Elfin or Refined Kitten) has exhibited increased activity over the past three months, although the group began switching to new infrastructure after Symantec published a report at the end of March detailing its operations. The threat actor has been using more than 1,200 new domains, 728 of which were seen communicating with infected systems. Most of these systems were infected with commodity remote access Trojans, in keeping with the group's fondness for publicly available tools. 60% of these cases involved the njRAT malware, which hadn't previously been noticed in use by APT33.
The researchers also describe links between Iranian contractors and Tehran's intelligence services, suggesting further overlap and connections between APT33, APT35, and MuddyWater, as well as between various types of custom malware (Ars Technica).
Skid versus skid.
Silex malware, which bricked large numbers of IoT devices until its command-and-control server went down Wednesday afternoon, seems to be the work of three teenagers. Bleeping Computer says they glory in the noms-de-hack "Light The Leafon" (or "Light The Sylveon"), "Alx," and "Skiddy." Akamai looked at Silex and found that it worked for the most part against devices with default passwords left in place. The motive seems to have been a form of snobbery. The hackers wanted to preempt tiresome skids from exploiting poorly protected IoT devices for cash and bragging rights: "i am only here to prevent skids to flex their skidded botnet," said Mr. Leafon, which is one way of looking at vandalism.
Patch news.
Microsoft Threat Protection's Group Program Manager tweeted that 83% of systems worldwide have been patched against the BlueKeep vulnerability, although it's worth keeping in mind that only one computer on a network has to be vulnerable in order for an attacker to potentially spread to other systems (BleepingComputer).
VideoLAN patched 33 security vulnerabilities in VLC media player. The nonprofit attributes the high number of fixes to the EU's bug bounty program for open source software, which launched in January (Naked Security).
Dell fixed a vulnerability in its SupportAssist software, which could have allowed a remote attacker to gain SYSTEM privileges (Help Net Security).
Crime and punishment.
Some guy, publicly identified only as "Brecht S." (like "Joseph K.,” only less cool) was sentenced to eighteen months in Belgium for a variety of hacking offenses. Mr. S. was caught when he threw a Molotov cocktail at a Crelan Bank office in Roeselare: he inadvertently dropped a USB drive holding identifying information. The police found evidence linking him to online crimes, some hacktivist, others conventionally criminal, like DDoS extortion against a pizza joint. Mr. S. is an adherent of Anonymous Belgium. That Molotov cocktail? Kinetic crimes draw stiffer penalties than cyber ones. Mr. S. got an additional three years for arson (ZDNet).
UK police have suspended work with Eurofins, a Brussels-based multinational private forensics firm, after the company suffered a ransomware attack at the beginning of June. According to the Guardian, Eurofins is believed to handle more than half the UK's outsourced forensic work, so the incident will probably delay court cases.
Israeli police arrested two brothers for "long and systematic theft" of cryptocurrencies that police say netted them tens of millions of dollars (Finance Magnates). They're accused of setting up spoofed cryptocurrency wallets and exchanges to harvest private keys via phishing. The brothers are also suspected in the 2016 Bitfinex hack, but police haven't commented on those allegations (Yahoo).
Courts and torts.
McAfee is suing three former sales personnel who moved to rival Tanium taking, McAfee alleges, trade secrets with them (Register).
The US Court of Appeals for the District of Columbia Circuit ruled in favor of a lawsuit seeking monetary compensation for victims of the 2015 Office of Personnel Management hacks. The case was dismissed in 2017 for insufficient evidence of harm, but the appeals court found that victims had experienced identity theft "accomplishable only with the type of information that OPM stored and the hackers accessed." The suit will now return to the district court, though it could take years to resolve (Washington Post).
A police officer in Minnesota was awarded $585 thousand in a lawsuit against the city of Minneapolis and two of her police colleagues. "Dozens" of other officers are said to have been improperly accessing her Department of Motor Vehicles records. The snooping was apparently creepily motiveless: cyber-stalking for the lulz (assuming creepy lulz don't count as motives) (WIRED).
Policies, procurements, and agency equities.
The US Federal Government is publicly committing to work with state and local officials to secure the 2020 election. Administration officials at a press call organized by the National Security Council Monday afternoon said they were focusing on two main problems: potential interference (that is, ensuring that votes can be cast and counted properly) and potential influence (that is, disinformation and other information operations). The Administration is expanding free support services to all fifty states and to all presidential campaigns. That support includes, among other things, sharing classified information with affected parties when it's relevant and necessary (and consistent with larger security concerns).
The US Department of Defense has recently assumed a leading role in managing security clearances across the Government, and a new name signals a fresh start. Federal News Network reports that the Defense Security Service will henceforth be known as the Defense Counterintelligence and Security Agency. By October 1st the agency will have absorbed the National Background Investigations Bureau.
The UAE is thinking about implementing a data protection law modeled, at least partially, after the EU's GDPR (TechRadar).
The city council of Lake City, Florida, voted on Monday to pay ransomware attackers at least $480,000 to recover the city's files. Lake City is the second Florida city to pay ransom in the past two weeks, after Riviera Beach paid $600,000. In both cases, the cities' insurance providers covered the bulk of the costs (ZDNet).
Fortunes of commerce.
Forescout has released the results of a survey that outlines how cybersecurity figures in merger-and-acquisition due diligence. Slightly over half the respondents said that they encountered a cybersecurity issue during due diligence that put the deal in jeopardy.
Mark Zuckerberg said on Wednesday that while Facebook is doing its best to deal with misinformation and attempted election interference, the Federal government "is the one that has the tools to apply pressure to Russia, not us." He added that breaking up the company would make issues of privacy and misinformation worse, because those issues would still exist, but "you would just be much less equipped to deal with them" (USA Today).
Google's parent Alphabet is merging its cybersecurity subsidiary Chronicle into Google Cloud (CNBC).
Labor markets.
A look at alternative approaches to talent management for a US Government (and especially a US military) cyber workforce sees useful models not only in the private sector, but in some allied countries (notably Germany) and adversaries (Russia and China). Aviation and medical talent management provide some useful analogies because of their "high levels of value on technical mastery and collaboration, and the self-policing of performance and values" (Eurasia Review).
Infosecurity Magazine has a summary of advice for recruiters managing job candidates. The headline says "How to do a cybersecurity interview," but the suggestions are in fact more extensive, and include tips for networking and other paths to employment. If you're a hiring manager, there's also some advice for you in a different Infosecurity Magazine piece: look for people who are good at continuous learning, are familiar with the threat landscape, and have a strong disposition to improve their technical skills.
Mergers and acquisitions.
Parsons, which began trading publicly at the end of April, last week expressed its intention to devote significant capital to acquisition. The defense and intelligence engineering company is particularly interested in picking up companies that would address its "focused markets" of cybersecurity, intelligence, space, defense, and smart cities critical infrastructure (Inside Defense).
Palo Alto Networks is also pursuing an ambitious acquisition strategy. It closed its purchase of Demisto last week, and the company has now spent more than $1 billion in acquisitions over the past year and a half. Other picks-up during that period have included most recently PureSec and Twistlock, also RedLock, Secdo, and Evident.io (Market Realist).
Extreme Networks is acquiring cloud-managing shop Aerohive Networks, bringing in Aerohive's cloud-management and edge capabilities to its end-to-end networking practice. The aggregate purchase price is $272 million (PRNewswire).
EZShield and IdentityForce will henceforth do business as Sontiq. EZShield acquired IdentityForce last year. Sontiq's headquarters will be in Nottingham, Maryland (Daily Record).
Accenture is acquiring BCT Solutions, an Australian cybersecurity firm based in Canberra, for an undisclosed amount (Which-50).
Investments and exits.
Maryland-based BlueRidge.ai raised $1.9 million from DataTribe. BlueRidge specializes in applying machine-learning to manufacturing processes (Technical.ly Baltimore).
Tel Aviv-based Vulcan Cyber has raised $10 million in a Series A round led by Ten Eleven Ventures with participation by seed investor YL Ventures. Vulcan intends to use the investment to support expansion into the North American market, and to upgrade its development and support capabilities (BusinessWire). The company specializes in automated vulnerability remediation.
And security innovation.
In a rare public appearance Yossi Cohen, head of Israel's Mossad, said cyber tools were essential to fighting terrorism. In that context he mentioned Mossad's venture capital arm, Libertad, which seeks innovative start-ups whose technology might offer solutions to intelligence agency challenges (Jerusalem Post). Founded in 2017, Libertad's function is similar to the US In-Q-Tel.