By the CyberWire staff
US attributes SolarWinds campaign to Russia's SVR.
The US Administration on Thursday announced a set of measures designed to impose costs on Russian threat actors for election influence operations, for the SolarWinds compromise, and for other cyberespionage incidents. The steps taken include sanctions, diplomatic expulsions, and naming and shaming. The National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI jointly released a Cybersecurity Advisory attributing the SolarWinds campaign to Russia's Foreign Intelligence Service (SVR). The SVR is tracked by the industry as APT29 or Cozy Bear.
The White House stated:
"Today the United States is formally naming the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures. The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR.
"The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide. The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident.
"Today, the National Security Agency, the Cybersecurity & Infrastructure Security Agency, and the Federal Bureau of Investigation are jointly issuing a cybersecurity advisory, “Russian SVR Targets U.S. and Allied Networks,” that provides specific details on software vulnerabilities that the SVR uses to gain access to victim devices and networks. The advisory also provides specific steps that network defenders can take to identify and defend against the SVR’s malicious cyber activity.
"Additionally, the SVR’s compromise of SolarWinds and other companies highlights the risks posed by Russia’s efforts to target companies worldwide through supply chain exploitation. Those efforts should serve as a warning about the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia. The U.S. government is evaluating whether to take action under Executive Order 13873 to better protect our ICTS supply chain from further exploitation by Russia."
Webinar Demo: How to get ICS Network Visibility
As industrial organizations undergo digital transformation, OT security teams are facing more challenges getting network visibility of so many connected devices. Join us on April 28 when our team shows you how the Dragos platform can help you identify and protect your most critical assets. Register today.
US calls out Russian disinformation organizations.
Four front media organizations associated with three Russian intelligence and security services were singled out by the US Treasury Department as disinformation shops: SouthFront (run by the FSB), NewsFront (also FSB), InfoRos (a GRU front), and the Strategic Culture Foundation (run by the SVR). Treasury stated:
"The FSB directly operates disinformation outlets. SouthFront is an online disinformation site registered in Russia that receives taskings from the FSB. It attempts to appeal to military enthusiasts, veterans, and conspiracy theorists, all while going to great lengths to hide its connections to Russian intelligence. In the aftermath of the 2020 U.S. presidential election, SouthFront sought to promote perceptions of voter fraud by publishing content alleging that such activity took place during the 2020 U.S. presidential election cycle.
"NewsFront is a Crimea-based disinformation and propaganda outlet that worked with FSB officers to coordinate a narrative that undermined the credibility of a news website advocating for human rights. Part of NewsFront’s plan was to utilize Alexander Malkevich, who is also being re-designated in today’s action, to further disseminate disinformation. NewsFront was also used to distribute false information about the COVID-19 vaccine, which further demonstrates the irresponsible and reckless conduct of Russian disinformation sites.
"The Strategic Culture Foundation (SCF) is an online journal registered in Russia that is directed by the SVR and closely affiliated with the Russian Ministry of Foreign Affairs. SCF is controlled by the SVR’s Directorate MS (Active Measures) and created false and unsubstantiated narratives concerning U.S. officials involved in the 2020 U.S. presidential election. It publishes conspiracy theorists, giving them a broader platform to spread disinformation, while trying to obscure the Russian origins of the journal so that readers may be more likely to trust the sourcing.
"The GRU operates InfoRos. InfoRos calls itself a news agency but is primarily run by the GRU’s 72nd Main Intelligence Information Center (GRITs). GRITs is a unit within Russia’s Information Operations Troops, which is identified as Russia’s military force for conducting cyber espionage, influence, and offensive cyber operations. InfoRos operates under two organizations, “InfoRos, OOO” and “IA InfoRos.” InfoRos used a network of websites, including nominally independent websites, to spread false conspiracy narratives and disinformation promoted by GRU officials. Denis Tyurin (Tyurin) held a leadership role in InfoRos and had previously served in the GRU."
For more, see the CyberWire Pro Disinformation Briefing.
Earn a Master's in Cybersecurity Part-Time & Online at Georgetown.
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Explore the program.
New APT34 activity.
Check Point says the Iranian threat actor APT34 (also known as OilRig) has targeted a Lebanese entity with a new backdoor dubbed "SideTwist." The threat actor delivered the malware via a Microsoft Word document that purported to describe job opportunities at a US-based cloud database company. The researchers say the SideTwist malware "provides functionality which is simple and similar to other C based backdoors utilized by the group: DNSpionage and TONEDEAF and TONEDEAF2.0." They add that "APT34’s backdoors DNSpionage and TONEDEAF are known to receive commands from the servers by searching for specific pattern hidden inside the HTML content of a legitimate looking website. In our case the attackers utilized a Flickr lookalike page, while in previous campaigns GitHub, Wikipedia, and Microsoft lookalikes were used."
For more, see the CyberWire Pro Research Briefing.
ShinyHunters hit Upstox.
Inc42 reports that leading India-based stock trading platform Upstox suffered a breach that potentially compromised the data of 2.5 million customers. The ShinyHunters cybercriminal gang has requested $1.2 million in exchange for not publishing the stolen data, Medianama explains, and has already released the data of 100,000 investors as a warning. Security researcher Rajshekhar Rajaharia discovered the breach when he encountered the data for sale on the dark web. The thieves claim they used AWS keys to access Upstox servers, and the stolen data includes names, identification numbers, and passport info.
In response, Upstox stated on its blog:
“We have upgraded our security systems manifold recently, on the recommendations of a global cyber-security firm. We brought in the expertise of this globally renowned firm after we received emails claiming unauthorized access into our database. These claims suggested that some contact data and KYC details may have been compromised from third-party data-warehouse systems.
"We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP."
Though it’s unclear exactly when the breach occurred, Upstox experienced an outage for two days in February, which the company said was the result of hardware issues. Insiders say the company notified India’s Computer Emergency Response Team of the incident on March 31st, meaning the company was aware of the incident for almost two weeks before it informed users.
For more, see the CyberWire Pro Privacy Briefing.
Are you interested in space and communications?
If so, take a look at the Cosmic AES Signals & Space. Aerospace meets outer space. This monthly briefing on cyber security as it relates to the space and SIGINT sectors covers technology, policy, market news and more. Our new issue comes out Thursday, April 1, 2021.
Investment news.
Estonian identity verification platform provider Veriff has secured $69 million in a Series B round led by IVP and Accel. The company stated, "With this latest round of funding, Veriff will continue building within the fast-growing market opportunity in the U.S. and deliver on our promise of building a stronger source of identity online than government-issued IDs alone currently provide." Additionally, "Jules Maltz of IVP and Matt Weigand of Accel will also join Veriff's Board of Directors."
Israeli enterprise security firm Talon Cyber Security has raised $26 million in seed funding from Lightspeed Venture Partners, Team8, entrepreneur Zohar Zisapel, and angel investors. The company says the funding "will allow the company to further develop its technology and expand the development team."
Irish no-code automation company Tines has raised $26 million in a Series B round led by Addition, with participation from Accel, Blossom Capital, the CrowdStrike Falcon Fund, and Silicon Valley CISO Investments. Crunchbase says "[t]he company anticipates growing from about 23 employees now to 60 by the end of the year, evenly split between Dublin and its US hub in Boston as the company expands in the North American market."
Itential, a network automation company headquartered in Atlanta, Georgia, has raised $20 million in a Series B round led by Elsewhere Partners. The company says it "will use the funds to accelerate its core business and continue to build its Software-as-a-Service (SaaS) offering to expand within the global enterprise market."
New York-based SaaS security company DoControl has introduced its platform with $13.35 million in funding, including a $10 million Series A round led by RTP Global, with participation from StageOne Ventures, Cardumen Capital, and the CrowdStrike Falcon Fund. The company stated, "The funding round will help the company execute its go-to-market strategy by doubling its headcount across R&D, sales, and marketing to accelerate global expansion while delivering an enterprise ready product that supports hundreds of customer feature requests."
Atlanta-based anti-fraud company Pindrop Security has raised $6.8 million, Atlanta Inno reports. The company says it will use the funding "to accelerate product development and establish its go-to-market strategy to meet the explosive growth in adoption of Intrigue's Attack Surface Management platform. The seed funding will also support the security and developer communities contributing to Intrigue Core, the open source asset discovery project that serves as the backbone of Intrigue's enterprise solutions."
For more, see the CyberWire Pro Business Briefing.
CSO Perspectives season 1 is coming to all soon.
In CSO Perspectives, a CyberWire Pro exclusive, Rick Howard discusses the ideas, strategies, and technologies that senior cybersecurity executives wrestle with on a daily basis. CyberWire Pro subscribers are about to start season 5, but starting this Monday, April 19th, we are making season 1 available for all to enjoy. In this season, Rick talks about cybersecurity first principles, metrics and risk models, Dark web intelligence and even his favorite cybersecurity novels. Mark your calendars and look for the CSO Perspective Public podcast on our podcast page.
Patch news.
NSA, in its joint advisory with CISA and the FBI, urged organizations to patch against the following five vulnerabilities being exploited by Russia's SVR:
Crime and punishment.
The US Justice Department announced that the FBI, after obtaining a warrant, went into private-sector systems to remove malicious web shells installed on compromised Microsoft Exchange Servers. Justice stated, "Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path)."
The statement added, "The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim."
A 28-year-old Texas man, Seth Aaron Pendley, has been arrested by the FBI and charged with planning to bomb an Amazon Web Services (AWS) data center in Virginia. The Record reports that the man tried to purchase C-4 from an undercover FBI employee with whom he had been in contact via Signal. The Record says he allegedly told the undercover FBI employee that he wanted to "attack Amazon’s data center because the company was providing web servers to the FBI, CIA, and other federal agencies and that he hoped to bring down 'the oligarchy' currently in power in the United States." Acting US Attorney Prerak Shah said in a statement, "We are indebted to the concerned citizen who came forward to report the defendant’s alarming online rhetoric. In flagging his posts to the FBI, this individual may have saved the lives of a number of tech workers."
Courts and torts.
Ireland's Data Protection Commission (DPC) has launched an inquiry into Facebook's leak of 533 million users' data in 2019 (the scraped data were recently posted publicly online). The Commission said in a press release, "The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses. The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data. Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect."
Policies, procurements, and agency equities.
President Biden will appoint NSA alumni to senior cybersecurity posts, the Washington Post reports. Jen Easterly will serve as Director of CISA, while Chris Inglis will serve as National Cybersecurity Director. Easterly was among the NSA officials involved in establishing US Cyber Command almost ten years ago. Inglis had served for eight years as NSA Executive Director, the second-ranking official in the agency. As the first National Cyber Director, a role created late last year by Congress in response to recommendations developed by the Cyberspace Solarium, his role will be coordination of civilian agencies’ cyber defense, and review of the relevant portions of their budgets. The position is outside the National Security Council, and so Inglis will not be responsible for overseeing offensive cyber policy as executed by military services and the Intelligence Community.
Reuters reports that the Cyberspace Administration of China has set up a tip line for residents to report online posts disparaging the CCP in the run-up to the party’s one-hundredth anniversary this summer. Casting anyone who "distorts" history, insults leaders and "heroes," or rejects "the excellence of advanced socialist culture" as "historical nihilists," the regulator encouraged the public to "actively play their part in supervising society…and enthusiastically report harmful information."
Computing reports bipartisan support for including a “right to disconnect” provision in Britain’s forthcoming Employment Bill that would set boundaries around employees’ time in the new era of remote work. A trade union survey found the majority of both Labour and Conservative members would back the move, while roughly thirty percent of work-from-homers said demands for uncompensated labor had increased with the transition out of office. Dublin recently issued regulation reinforcing standard business hours and protecting workers’ right to ignore after-hours communications, and Ottawa is preparing comparable rules.
For more, see the CyberWire Pro Policy Briefing.