Microsoft Exchange Server hacks officially attributed to China. Indictment in industrial espionage case. Entities List expands. Abuse of NSO Group’s Pegasus tool reported.
Dave Bittner: Allied governments formally attribute exploitation of Microsoft Exchange Server to China's Ministry of State Security. A U.S. federal indictment names four MSS officers in conjunction with another long-running cyber-espionage campaign. The U.S. Department of Commerce adds six Russian organizations to the Entities List (ph). The Pegasus Project outlines alleged abuse of NSO Group's intercept tool. Thomas Etheridge from CrowdStrike on the importance of real-time response, continuous monitoring and remediation. Our guest is Neha Joshi from Accenture on solving the cybersecurity staffing gap and how to stand up a successful, diverse security team. And there's hacktivism in Southeast Asia.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 19, 2021.
Dave Bittner: This morning, the U.S. - with the concurrence of the other Five Eyes, NATO, Japan and the European Union - formally attributed an attack on Microsoft Exchange Server to China's Ministry of State Security. The attribution has long been expected. On May 2, Microsoft itself had attributed the incident to Hafnium, which it identified as a state-sponsored threat actor that operates from China. NSA, CISA and the FBI have issued a joint cybersecurity advisory this morning on behalf of the U.S. government that outlines the basis for the attribution, the tactics, techniques and procedures the Ministry of State Security employed and a range of suggested mitigations.
Dave Bittner: So far, the official attribution to China involves no additional sanctions or other imposition of costs directed specifically at Beijing's actions in this case, The Washington Post reports, with some officials suggesting that it marks a setting of expectations of how nation-states are expected to behave in cyberspace.
Dave Bittner: Some observers have seen the absence of new measures imposed against China as evidence that Beijing still enjoys a free ride with respect to bad behavior in cyberspace - a free ride that, for example, Russia doesn't enjoy. This seems overstated. There is, of course, the general odium expressed by most of the civilized world, which would count at least as naming and shaming. But of course, many governments are shameless. And most are shameless to some extent, at least from time to time. And it's unlikely that international complaint alone would be likely to restrain Chinese intelligence and security services' misbehavior. But to say that China receives a free pass for its activities is to overstate matters. The long-running campaign to exclude on security grounds Chinese hardware manufacturers - notably but not exclusively Huawei and ZTE - from participating in 5G infrastructure build-out is one example of imposition of costs.
Dave Bittner: So are indictments of Chinese intelligence personnel. The U.S. Justice Department today published an indictment, unsealed Friday, of four Chinese nationals working for the Hainan Province Ministry of State Security, known by its acronym HSSD, a provincial arm of the Ministry of State Security. Between 2011 and 2018, the accused individuals are charged with supervising an extensive campaign to steal intellectual property from foreign companies and universities. They cast a wide net. The targets allegedly included research into the Ebola virus and vaccines against it, work on submersible vehicles, autonomous vehicle R&D, proprietary chemical formulas and research into genetic sequencing.
Dave Bittner: The threat group has been called by industry many names, among them APT40, BRONZE MOHAWK, FEVERDREAM, Gadolinium, Hellsing, MUDCARP and, our personal favorite, Kryptonite Panda.
Dave Bittner: The list of countries whose IP was prospected for Chinese strategic and economic advantage included the U.S., Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the U.K. The grand jury returned an indictment on two counts - conspiracy to damage a protected computer and conspiracy to commit economic espionage. The indictment is long but worth reading for the historical detail and insight into the tactics the alleged conspirators employed.
Dave Bittner: To continue with discussion of imposition of costs, the U.S. has expanded sanctions against some Russian outfits for their activities in cyberspace. The Commerce Department's Bureau of Industry and Security has added six Russian organizations to the Entities List. Placement on the Entities List restricts the named persons' or organizations' ability to trade with the U.S. Posted to the federal registry this morning, the revised and expanded Entities List is unlikely to exhaust the retaliatory measures the U.S. will probably take against Russian cyberactivity, in particular recent ransomware attacks by Russian gangs.
Dave Bittner: Forbidden Stories' Pegasus Project yesterday published, with the cooperation of some 16 other news organizations worldwide, the results of a long-running, collaborative investigation of NSO Group. From a leaked list of over 50,000 phone numbers - NSO clients selected for surveillance - investigators determined that 180 journalists in at least five countries were targeted. The Pegasus Project's report said, quote, "Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance," end quote.
Dave Bittner: NSO's government clients involved in the surveillance include Bahrain, Morocco, Saudi Arabia, India, Mexico, Hungary, Azerbaijan, Togo and Rwanda. NSO disputes allegations of involvement, saying that it doesn't see any connection between itself and the leaked list of targeted phones. But the company, which has been much criticized in the past for its willingness to sell to governments with dubious human rights records, called the possibility that its Pegasus tool had been misused disturbing. The Washington Post quotes the company as expressing an intention to investigate.
Dave Bittner: NSO Group is an Israeli company, and its exports are, The New York Times says, approved by the Israeli Ministry of Defense, which encouraged sales to Arab states that had long been hostile to Israel until they began to see a common adversary in Iran. Any sort of rapprochement between Israel and Muslim-majority states, whether in security, trade or in full normalization of relations, is seen by many as damaging to the interests associated with the Palestinian cause. Moves toward closer ties on the part of governments in the Gulf and in Southeast Asia have spurred, a study by Radware concludes, #OpsBedil, a hacktivist campaign staged from Malaysia and Indonesia. This campaign antedates the publication of the Pegasus Project.
Dave Bittner: As Radware describes it, quote, "attacks performed under #OpsBedil are considered a political response to the Israeli ambassador to Singapore stating in June that Israel is ready to work toward establishing ties with Southeast Asia's Muslim-majority nations. Malaysia, which is over 60% Muslim and supports Palestine, has a significant presence of hacktivists and Palestinian militants. As a result of this call to establish ties, hacktivists in the region began targeting Israeli assets in June with a series of DoS attacks, data leaks and defacement campaigns. The group condemns the proposal to establish ties and reiterates their ongoing support of Palestine with digital attacks," end quote. The group behind the campaign is known as DragonForce Malaysia.
Dave Bittner: There are, by all accounts, a lot of unfilled cybersecurity job positions out there - tens of thousands in the U.S. alone. What does having all those empty positions do for our readiness as a nation? And how do we go about closing the gap? Neha Joshi is global growth and strategy lead for Accenture Security, and she joins us with these insights.
Neha Joshi: I was literally just speaking to a CISO in Europe yesterday, and he said he has 40 unfilled roles on his team, right? We saw - there's a recent article from CBS that, according to Cyber Sike, there's 500,000 open cybersecurity positions in the U.S. alone. So we have an issue with open positions for cybersecurity skills.
Neha Joshi: And, you know, the obvious thing is that means that we're increasing our risk. But how? It means that we don't have cybersecurity professionals present in enough rooms - right? - especially early enough in the decision-making processes. So business decisions are happening without security considerations.
Dave Bittner: How do you suppose organizations can put the word out to nontraditional talent that this is - could be an opportunity for them, that cybersecurity organizations are interested in what they bring to the table, the type of thinking that they have, you know, the experience from the other types of work that they've done?
Neha Joshi: I think it's important to not just say it, but show it, right? It's important to highlight - for example, if one organization is trying to put that message out and say, OK, we really are very open to this, we want to have nontraditional talent, don't just say that, but also show some of the talent that they have internally that fall into that category and highlight those individuals, and then highlight their stories, right? Highlight how they have excelled within the organization, how the organization has invested in them and how they have grown within their own roles and positions to make really significant impact.
Neha Joshi: Because I think when you show that it's not just marketing speak, it's not just a talk track, but it's really a true investment, that the organization stands behind it, that's when it comes to life and that's when people believe it and actually are - they want to be part of that, right? They want to join that organization because they feel that's somewhere where they can truly thrive.
Dave Bittner: The organizations that you've seen who are successful at this - what do they have in common? What are the things that they're doing that make this work?
Neha Joshi: For me, that's really about diversity across a team. Again and again, in every research article on this, every dimension of business, it shows that diverse groups of people make better decisions, have better results. And when I'm saying diversity, its thought processes, its gender, race, sexual orientation, veterans, neurodiversity, education, socioeconomic backgrounds, right? There are so many different facets of diversity. And bringing those teams together so that they can really achieve the best results makes the difference, right? Celebrating those differences on a team and celebrating what they can accomplish together that no one of them could have alone is what I've seen to be successful.
Neha Joshi: You know, you want people that are creative problem-solvers whenever new problems arise but who are also OK with some of that mundane grunt work, that research that's required in cybersecurity - right? - to go solve those problems. And I think it's about assessing how those teams come together and complement each other and challenge each other to be able to actually be successful and produce better outcomes and better results.
Dave Bittner: Yeah, it strikes me as being something that I could see being a challenge from a leadership point of view. But as you mentioned, the results really speak for themselves. Study after study shows a more diverse team yields better results.
Neha Joshi: Absolutely, absolutely. And I think when leaders invest in it, they will see the outcomes themselves, and they'll see the outcomes for their team, but also for the individuals on that team. And it is - it can be mind-blowing, honestly, of what you can see happen.
Dave Bittner: That's Neha Joshi from Accenture Security.
Dave Bittner: And joining me once again is Thomas Etheridge. He's senior vice president of services at CrowdStrike. Thomas, it's always great to have you back. I wanted to touch today on the importance of real-time response, continuous monitoring and remediation, kind of get your take on those three elements. What can you share with us today?
Thomas Etheridge: Absolutely. Thanks, Dave. I appreciate having me on again. One of the things that we want to make sure we communicate is the repetitive nature of incidents. No longer can organizations think about an incident as a one-time event. In fact, in our annual Front Lines Report last year, we reported that in 68% of the organizations that reached out to us for incident response help, those organizations suffered another intrusion attempt within the following 12-month period.
Thomas Etheridge: So organizations are susceptible to secondary, even third breach attempts after they've responded to an incident. Sometimes it's with the same threat actor that's trying to regain access, and other times it's with a completely different threat actor looking to take advantage of access maybe that they've been unable to close.
Dave Bittner: Yeah. I mean, that really leads me to the next question I was going to ask you, which is how often do folks find themselves being, you know, hit by the same actor? Does he - even if somebody, you know, closes up a way in, if they have things of interest, is it common for you all to see the same threat actor making another run at them?
Thomas Etheridge: When threat actors realize that they may have the ability to pivot within the environment to another, say, an unprotected part of the environment or to leverage living off the land techniques to remain stealthy and hidden from the customer's security tooling and protocols, that's where we see threat actors make additional attempts at exploiting access that they may have gained in the customer's environment. And that's why we preach kind of the ability to detect, investigate and remediate those incidents as quickly as possible. Thus, the real-time response, continuous monitoring and efficient remediation - those are so critical in instant response and recovery these days.
Dave Bittner: When you're walking into a new situation, you know, sort of evaluating someone that you might be doing business with for the first time, do you find that most folks have one of these areas more covered than others?
Thomas Etheridge: Actually, Dave, what we're seeing is quite the opposite. In our 2020 Services Report that I just mentioned, we outlined some of the industry averages for detection, investigation and remediation. What we see in practicality is most organizations take around 120 hours to detect a threat, about 11 hours to investigate and about 31 hours to remediate. Total - all totaled, that's around seven days. That's just not good enough. Threat actors are moving at much faster paces. They're measured in minutes and hours, not days.
Thomas Etheridge: So it's incumbent upon organizations to think about that 1-10-60 rule that we've discussed previously. And some of the capabilities that we've been able to bring to market, such as our Falcon Complete offering, drives more structure towards those metrics. So we're able to actually detect within a minute, investigate within six minutes on average, and then be able to remediate that threat within 29 minutes. And that gives the customer a bigger advantage in terms of stopping the tide from these threats.
Dave Bittner: All right, well, Thomas Etheridge, thanks for joining us.
Thomas Etheridge: My pleasure. Thanks, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.