China sets sights on US critical infrastructure.
Dave Bittner: China allegedly targets US critical infrastructure, while a small Irish village goes without water due to an Iranian CyberAv3ngers attack. The EU sets a global precedent with new AI regulations. Unraveling the latest maneuvers of the Lazarus Group. The Sandman APT's links to Chinese cyber threats. "5Ghoul" vulnerabilities represent a new challenge in telecom security. The deceptive dangers of the MrAnon infostealer in a booking app. The GRU's phishing tactics lead to the spread of Headlace malware. On today’s Solution Spotlight segment, Kristie Grinnell from DXC Technology talks with N2K’s President Simone Petrella about DXC’s “All in on Cyber” program. And 23andMe's controversial update to its terms and conditions.
Dave Bittner: Today is December 11, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Dave Bittner: China targets US critical infrastructure.
Dave Bittner: We begin today with reporting from the Washington Post that the Chinese military is intensifying efforts to compromise key American infrastructure, such as power, water utilities, communications, and transportation systems. According to U.S. and industry security officials, hackers linked to China's People's Liberation Army have infiltrated computer systems of about two dozen critical entities over the past year. These cyber intrusions are seen as preparations for potential chaos or logistical disruption in case of a U.S.-China conflict, particularly in the Pacific region.
Dave Bittner: Targets include a Hawaiian water utility, a major West Coast port, and an oil and gas pipeline. There were also attempts to breach the Texas power grid operator. These actions are part of the broader "Volt Typhoon" cyber campaign, first detected by the U.S. government about a year ago. The campaign's focus appears to be on targets within the Indo-Pacific region, including Hawaii.
Dave Bittner: These intrusions haven't affected critical operational systems or caused disruptions but indicate an intent to complicate U.S. military efforts or cause internal chaos in the event of a conflict, especially concerning Taiwan. The hackers typically conceal their activities, aiming to maintain access for potential future attacks. This shift in Chinese cyber activity, from espionage to potential infrastructure disruption, marks a significant strategic change.
Dave Bittner: The U.S. intelligence community has warned that China could launch cyberattacks to disrupt critical U.S. infrastructure in a major conflict scenario. The Volt Typhoon campaign has affected not just large entities but also smaller companies across various sectors, hinting at an opportunistic targeting approach.
Dave Bittner: Chinese military strategists have discussed using cyber tools in conflict scenarios, including amphibious invasions and disruption of military logistics and command networks. This aligns with the current observed activities and targets of Chinese cyber operations.
Dave Bittner: In response, the U.S. government is working to improve coordination with the private sector and tech companies to detect and counter these threats. Efforts include issuing mandatory cybersecurity rules for critical industries and encouraging better practices such as mass password resets and secure multifactor authentication. The U.S. and its Five Eyes intelligence allies have issued advisories to help detect and mitigate such intrusions, emphasizing the need for collective vigilance and information sharing in protecting critical infrastructure.
Iranian CyberAv3ngers hit village in Ireland
Dave Bittner: A cyber-attack, likely the work of the Iranian group CyberAv3engers, disrupted the water supply for 180 homes in the Erris area, Ireland, by targeting a Eurotronics Israeli-made water pumping system. The hackers, reportedly targeting the system due to its Israeli origin, caused the Binghamstown/Drum water scheme to lose service for two days. The attack was discovered when a caretaker saw a message stating "You have been hacked" and anti-Israel sentiments displayed on the pump house screen.
Dave Bittner: Noel Walsh, a member of the water scheme, noted the absence of the usual phone alerts during the incident. The group's firewall security was possibly insufficient, and efforts are underway to enhance their cyber defenses. The restoration of water supply on Friday night brought relief after significant inconvenience.
Dave Bittner: The US FBI has highlighted similar attacks as part of a rising trend in cyber-attacks linked to geopolitical tensions, citing an incident in Pennsylvania as a "significant escalation". Deputy National Security Advisor Anne Neuberger emphasized the need for improved cybersecurity practices to counteract growing criminal and international threats.
Dave Bittner: EU agrees to groundbreaking AI regulations.
Dave Bittner: The European Union has achieved a significant milestone by reaching an agreement on a comprehensive law to regulate artificial intelligence (AI), potentially setting a global standard. This AI Act is designed to manage risk, enforce transparency, and impose financial penalties on non-compliant tech companies. It targets high-risk AI applications in sectors like self-driving cars and medical equipment, requiring companies to disclose data and undergo stringent testing.
Dave Bittner: The law aims to balance innovation with protection, addressing the challenges posed by large-scale AI models like ChatGPT. It includes provisions banning the creation of facial recognition databases from internet or security footage, with certain exceptions for law enforcement in specific cases.
Dave Bittner: While the AI Act has been welcomed as a model for global AI regulation, it has also raised concerns about potentially stifling innovation and hindering Europe's competitive edge in AI development. The legislation offers exemptions for open-source AI models and imposes additional obligations on proprietary models deemed to have systemic risk.
Dave Bittner: Companies violating the AI Act could face fines up to 7% of their global revenue. This law underscores Europe's leadership in tech regulation, following other impactful legislations like the General Data Protection Regulation. The AI Act is expected to influence AI legislation in other regions, including the United States, where the approach to AI regulation has been more incentivizing than restrictive.
Dave Bittner: The law will take two years to be fully implemented and will require EU countries to establish national and regional bodies to regulate AI. The European Parliament is set to pass this legislation before the upcoming legislative elections.
Dave Bittner: New Lazarus Group activity discovered.
Dave Bittner: Cisco Talos has uncovered a new campaign called "Operation Blacksmith" by North Korea's Lazarus Group, targeting the manufacturing, agricultural, and physical security sectors. This campaign involves at least three new malware families developed in DLang, including two remote access trojans (RATs). One of these RATs uniquely uses Telegram Bots and channels for Command and Control (C2) communications. Researchers have identified similarities with previous operations by Lazarus' sub-group "Andariel," known for initial access, reconnaissance, and establishing long-term espionage channels to support North Korea's governmental interests.
Sandman APT linked to a Chinese threat actor.
Researchers from SentinelOne, Microsoft, and PwC have identified connections between the Sandman Advanced Persistent Threat (APT) and the suspected Chinese threat actor STORM-0866/Red Dev 40. These links are based on overlapping targets, shared practices in controlling and managing Command and Control (C2) infrastructure, and coexistence on compromised systems. The research highlights the intricate nature of the threat landscape in China, characterized by significant cooperation and coordination among various groups. It also suggests the potential involvement of third-party vendors in supplying operational tools to these groups. Despite recognizing Sandman's association with Chinese adversaries known for using the KEYPLUG malware, the researchers continue to track Sandman as a separate entity until more definitive evidence emerges.
5Ghoul: a chip risk.
Dave Bittner: Researchers from the Singapore University of Technology and Design have identified vulnerabilities in the firmware of 5G mobile network modems produced by Qualcomm and MediaTek, as reported by BleepingComputer. These flaws, collectively termed "5Ghoul," pose a risk of service disruptions or network downgrades. The researchers discovered that over 710 smartphone models currently available are affected by these vulnerabilities. They also caution that the actual number of impacted models could be higher, considering that firmware code is often reused across different modem versions.
MrAnon infostealer and a malicious booking app.
Dave Bittner: Fortinet researchers have identified a phishing campaign that employs fake hotel booking notifications to distribute the MrAnon information stealer. This campaign primarily targeted Germany, as indicated by the significant number of URL queries from the region, particularly in November 2023, suggesting increased and aggressive activity during that month. MrAnon is designed to steal sensitive information from victims, including credentials, system data, browser sessions, and cryptocurrency extensions.
GRU phishing campaign delivers Headlace malware.
Dave Bittner: IBM's X-Force has reported that ITG05, likely a Russian state-sponsored group, is conducting a phishing campaign using themes related to the Israel-Hamas war to spread the Headlace backdoor. This group is associated with APT28, UAC-028, Fancy Bear, and Forest Blizzard. Headlace, identified by CERT-UA in September, comprises a .CMD dropper, a .VBS launcher, and a .BAT backdoor. The campaign targets humanitarian aid organizations, mainly in Europe, with geographically specific attacks designed to open only in certain countries. Nearly all of the targeted countries are United Nations Human Rights Council members. This focus is likely due to Russia's interest in the Council's potential actions against its activities in Ukraine. X-Force anticipates the continuation of similar campaigns.
Dave Bittner: Coming up after the break on Today's Solution Spotlight segment, Kristie Grinnell from DXC Technology talks with N2K's President Simone Petrella, about DXC's All in on Cyber Program. Stay with us. [ Music ] In today's Solution Spotlight segment, N2K's President Simone Petrella speaks with Kristie Grinnell from DXC Technology. They're talking about DXC's All in on Cyber Program.
Simone Petrella: I am so excited to be here today with CIO of DXC Kristie Grinnell. Kristie, thank you so much for joining me today.
Kristie Grinnell: Thank you so much for having us, Simone. It's great to be here, and one of my favorite topics.
Simone Petrella: Can you tell us a little bit about yourself and your journey into the IT space?
Kristie Grinnell: Absolutely. So I am the CIO at DXC Technology, which is an IT solutions and services provider. We do technology from the bottom of the technology stack, storage, compute, network, all the way up to the top of the stack, analytics and engineering. So we have 130,000 employees across 80 countries, which are really servicing most of the Fortune 500 in some way, with their technology needs. And myself, I grew up in technology from a business analyst and strategy perspective. So I'm actually not technical, Simone. Like, I can't code I can't, you know, design an architecture, I can't do anything like that. But I can ask a lot of questions and ensure we really focus on the business problems we're trying to solve, and really growing our company.
Simone Petrella: I love though that you say that off the bat. Also, I'm going to call you out a little bit because I know you do have a degree in mechanical engineering. So to say you're not technical, maybe not in coding, but I'm [laughing] going to call you out. I don't think that's true.
Kristie Grinnell: No, I have the problem solving capability. And I was a mechanical engineer for three years at General Motors. And then I recognized that I was maybe more of a people person, then I was a engineer who could design machines, so I went back to business school. But, you know, just always taking that, you know, methodical approach to solving problems, creative thinking, and finding the right answer for the company, regardless of the problem we're trying to solve.
Simone Petrella: Well, I think that's a great backdrop for the discussion that we wanted to have today around kind of people and how companies, especially DXC think about sort of leveraging people especially as we tackle what is arguably, you know, a chronic workforce gap that we have struggled with in cybersecurity in particular, but STEM and, you know, I think not only STEM in general, but especially for women and underrepresented talent. So I'm kind of taking it into a few directions there. But one of the things I know DXC has focused on, and I've heard you speak a lot about in talks that you've given is how much the focus is in your firm and your company on transformation and how people in being a people person, it just drives everything that you all do. And I'd love to see if you could share a little bit more about some of the initiatives that DXC has in flight that embody that philosophy.
Kristie Grinnell: Absolutely. So one of the reasons I actually joined DXC is for the values that we have as a company, and what I saw across our leadership. And one of those is to care for our employees, first and foremost. And that means that we take care of each other and that we're very inclusive. That matters, because in order to bring diversity to the table, in order to have diversity of thought, people need to feel that they are being cared for and that they are included and that their voices wanted at the table. Right? So that's the first part. The other two values that really matter here are to collaborate and do the right thing. And I just firmly from my heart believe that in order to do the right thing, that is to accept people for who they are with all of their good, all of their bad, but all of that experience, all of that culture, all of that viewpoint that they can bring, that's what drives innovation. So I started by saying that, you know, I'm a problem solver. I'm a decision maker. I can, you know, have creative thinking, but the more we bring that around the table, the better off we are. And it is a problem. When you look at the technology field, you know, the majority of the technology field around the world has less than 30 percent women, but we make up 50 percent of the workforce, Simone. That just doesn't sit right with me. Right? And it's not because of like, hey, you know, we need to do this. But that means we're missing important perspective and viewpoints that will help us to solve more problems for businesses, to create more opportunity around the world in order to drive new things. So I think, you know, for me, I sit on the STEM For Her Advisory Board. I'm the executive sponsor of our Women Empowered Employee Resource groups here at DXC, which are a big part of what we do. But we also have programs, like, our Dandelion Program, which is looking at neuro diverse abilities, and how can we leverage those in the workforce, because we know there's a lot of untapped talent there who can do some really great things. So I think if we all just open our mindset, which is what we're trying to do at DXC to care for people and the experience that they bring, and allow that voice to be heard at the table, you just never know what we're going to do. And I know that at the end, we'll all do the right thing.
Simone Petrella: I love to hear about companies that are really kind of taking on that responsibility to sort of grow the talent. It's always so frustrating to me when I am in situations or conversations where we're able to talk about the talent gap. And everyone goes, like, sure these opportunities for individuals, they just need to take the bull by the horns. And I'm like, no, like, we have to create an environment that allows them to do that and have something on the other side.
Kristie Grinnell: And a lot of people don't know, right, like, when you hear about IT, a lot of people think it's especially IT, but also, like, STEM, engineering, the math side of it, the technology side, a lot of people, number one has fear of it, because they don't know what they don't know. The other fear of it is that this is going to cost me a lot of money to get the education and the skills I need and be smart enough to work in this area. And that's actually not true. There's so much we can do with talent that doesn't have a college degree, but has the right certifications with early professionals who are, you know, really willing to dig in and roll up their sleeves and learn a new craft in technology. There's a lot of potential there, so I'm super excited about what it could look like. But we need to open up our aperture more for what we're willing to do to deal as companies and people around the world.
Simone Petrella: Are there any things specifically at DXC that you all are doing around kind of entry level talent? You mentioned some of the initiatives around neuro diversity, and some other things. But once you actually identify those pools of talent, how are you kind of giving them that exposure and that training they need to be capable of fitting in these new roles?
Kristie Grinnell: Yeah. So and this is specific to DXC, but also other companies that I've been at as well. Number one, internship programs are one of the best ways for a potential employee in the company to find out if they're a fit. And that's to find out if they're fit from the role in the technology perspective, but also that other part, that cultural inclusion and values part that I discussed, and taking that internships next level where you're giving them a view, not just into the role that you hire them into, but also allowing them to stick with other roles in the company to see what options might be. Because that's what a lot of early professionals, they have no idea what it means to be, like, if you say, oh, we need a technical analyst, and they're like, a technical. [Laughing] Like, what does that mean?
Simone Petrella: Yeah.
Kristie Grinnell: They don't know what that is, and so, you know, the education of what are these things. And when you say you're an engineer, an engineer means a lot of different things in a lot of different companies. So the more we can bring in those early professionals and give them that internship, that's number one. The second thing is, though, is that I believe in a build your own talent philosophy, where we bring in early professionals and put them on the projects where they're going to get exposure, just skills and leverage the talent they have, whether it be a certification or an education that they receive. But also get that hands on real world experience. And I'll give you an example. The service desk is an amazing place to start. And I know that some people were, like, I don't want to sit and listen to calls all day that are really hard. But at the same time, you're seeing cyber issues, you're seeing network issues, you're seeing device issues, you're seeing application issues, you get a broad spectrum of what you're trying to do. And you're being told how to solve some of those, you know, entry level problems, and sometimes you have to escalate it, but you get that view. And then that gives us the ability to also see who's picking this up really quick, who's able to help solve those problems really well and understand. And that that person on the service desk, and again, it's just one example. But then they go, wow, I really liked those problems that I'm solving in cyber, I want to do more, right? And so then, great, we have unlimited learning available here at DXC with Udemy and LinkedIn Learning to help our employees. They can go take more classes then in cyber, learn about it, and then apply for that next job. Look at that next career path, an opportunity you might want. So build your own talent is a real key way of doing that. That takes the employee digging in, right? They need to be a part of it and be willing to learn. It takes the managers being able to really watch and help nurture and coach and mentor that employee, and also for the company itself to invest in the learning capability [music] and the time to do it, but also to have those types of career paths for people in the company as well.
Simone Petrella: Great. Well, Kristie, I appreciate you taking the time to join us this afternoon and really appreciate it and love the discussion.
Dave Bittner: That's our own Simone Petrella speaking with DXC Technologies Kristie Grinnell. [ Music ] And finally, following a data breach that exposed the personal details of 6.9 million users 23andMe updated its terms of service to prevent customers from suing the company or joining class action lawsuits. This change stipulates that customers will automatically agree to the new terms unless they explicitly disagree within 30 days of notification. Meanwhile, two Canadian law firms are pursuing a class action lawsuit against 23andMe in the Supreme Court of British Columbia. A 23andMe spokesperson claims the terms were changed not to limit court relief, but to expedite dispute resolutions allowing claims in small claims court and offering an opt out option for mandatory arbitration. Despite this, experts like Chicago Kent College of Law Professor Nancy Kim, questioned the company's ability to enforce these terms legally, especially since they might be attempting to shield themselves from the breaches fallout. The breach, which impacted almost half of 23andMe's customers included data related to users with Ashkenazi Jewish and Chinese heritage. The company only revealed the full extent of the breach two months later. Criticism surrounds the mandatory arbitration clause in the new terms, considered biased against customers and often hidden in fine print. In the aftermath, 23andMe made two factor authentication mandatory, a step previously recommended but not enforced. Kim labeled the lack of mandatory two factor authentication as negligent given the sensitivity of the data involved. We often talk here about the importance of prioritizing patching and cybersecurity. In this case, it seems that 23andMe has prioritized patching their terms and conditions. [ Music ] And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment on Jason and Brian show every week. You can find the "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberWire@n2k.com. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Urban. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Carr. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]
