placeholder

Cybersecurity News, Prevention and Tips

 

News (November / December 2022)

**State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity
State-sponsored and cyber-enabled theft of intellectual property is on the rise as countries employ all means at their disposal to gain advantages amid rising strategic rivalry and international political mistrust, an ASPI analysis has found.

**Eight Men Indicted for $114 Million Securities Fraud Scheme Orchestrated Through Social Media
A federal grand jury in the Southern District of Texas returned an indictment that was unsealed on December the 13th, 2022, charging eight men with conspiracy to commit securities fraud for a long-running, social media-based “pump and dump” scheme. According to court documents, Edward Constantinescu, aka Constantin, 38, of Montgomery, Texas; Perry “PJ” Matlock, 38, of The Woodlands, Texas; John Rybarczyk, 32, of Spring, Texas; Gary Deel, 28, of Beverly Hills, California; Stefan Hrvatin, 35, of Miami, Florida; Tom Cooperman, 34, of Beverly Hills, California; Mitchell Hennessey, 23, of Hoboken, New Jersey; and, Dan Knight, 23, of Houston, Texas, allegedly engaged in a wide-ranging securities fraud conspiracy in which the defendants used their extensive social media presence on Twitter and Discord to hype interest in particular securities by posting false and misleading information in order to “pump” the prices of those securities, while concealing their intent to later “dump” their shares by selling them at the artificially inflated prices. From in or around January 2020 to in or around April 2022, the defendants profited at least approximately $114 million from their scheme.

**Keeping Up With Ransomware
Earlier this month, the White House hosted the second meeting of the International Counter Ransomware Initiative (CRI). One of many initiatives on cybersecurity advanced by the Biden administration, the CRI acts as a forum for partners and allies to “cooperate internationally across all elements of the ransomware threat.” Addressing the various aspects of the ransomware threat has been a primary early goal of the Biden administration in cybersecurity. As my colleagues explained, “the U.S. government has begun to leverage a range of criminal, diplomatic, economic and military capabilities in order to combat the ongoing ransomware threat.” This whole-of-government approach attempts to thwart and disrupt cybercriminals and their infrastructure, prevent them from abusing financial systems, and impose costs on those jurisdictions that have become safe havens, while also leveraging public-private partnerships and diplomacy to improve information sharing, risk awareness, and resilience.
The theory behind this focus is that ransomware is relatively low-hanging cybersecurity fruit. Relatively few actors are responsible for a lot of the damage. Keeping software patched does wonders to prevent it. So the idea is that a series of cybersecurity “sprints” could make a big difference. The government has certainly been active on the subject. The U.S. Department of Treasury sanctioned several virtual currency exchanges for facilitating transactions laundering the proceeds of ransomware schemes. The Conti and REvil groups shut down their operations. And when the CRI first met in October 2021, more than 30 countries committed to act together to mitigate the risk of ransomware.
Yet, in the war against ransomware, ransomware is at least holding its own. Ransomware-as-a-Service (RaaS) is growing in popularity, enabling more actors to easily target a broad range of sectors. Despite increased spending in cybersecurity, more companies report being victims of an incident, a trend that is expected to continue into next year. Newer ransomware strains are emerging. More incidents are being reported. And the average ransom paid is higher than ever before. Even more concerning, widespread adoption of double extortion schemes, in which the bad actor extracts the data before encrypting it and threatens to make it public, leads to more organizations deciding that paying the ransom might be in their best interest. To begin the work of evaluating actual results against the undoubted commitments of the administration, the author of this article in Lawfare, will endeavor to describe the areas of work mapped by the CRI and assess what we can expect from their efforts.

**Two Estonian Citizens Arrested in $575 Million Cryptocurrency Fraud and Money Laundering Scheme
Two Estonian citizens were arrested in Tallinn, Estonia, yesterday on an 18-count indictment for their alleged involvement in a $575 million cryptocurrency fraud and money laundering conspiracy. The indictment was returned by a grand jury in the Western District of Washington on Oct. 27 and unsealed today. According to court documents, Sergei Potapenko and Ivan Turõgin, both 37, allegedly defrauded hundreds of thousands of victims through a multi-faceted scheme. They induced victims to enter into fraudulent equipment rental contracts with the defendants’ cryptocurrency mining service called HashFlare. They also caused victims to invest in a virtual currency bank called Polybius Bank. In reality, Polybius was never actually a bank, and never paid out the promised dividends. Victims paid more than $575 million to Potapenko and Turõgin’s companies. Potapenko and Turõgin then used shell companies to launder the fraud proceeds and to purchase real estate and luxury cars. The DOJ press release is here

U.S.-ROK Strategy for Enhancing Cooperation on Combating and Deterring Cyber-Enabled Financial Crime
Following the May 2022 U.S.-ROK Summit, which revitalized previous bilateral commitments to establish a joint cyber working group to address cyber-enabled financial crime, a new
report from CNAS provides specific policy recommendations for Washington and Seoul to incorporate within the cyber working group. The author argues that Pyongyang is likely to continue hacking cryptocurrency exchanges and laundering the stolen funds as long as the potential gains exceed potential risks and resources to conduct these operations. For a translation in Korean, please click here.

**There are fewer ransomware attempts than there used to be
An unwillingness to pay ransoms could be one factor behind the decline, according to recent articles in the Financial Times, and MIT Technology Review.

**Western security advisers are warning that Egypt’s COP27 summit app may be a cyber weapon 
Western delegates at the summit are being told not to download the app, amid fears it could be used to hack their private emails, texts, and voice conversations – including those on encrypted channels. Read more here in POLITICO.

**Cyber Insurance and Cybersecurity Policy: An Interconnected History
A professor of Law, Sociology, and Criminology, Law & Society at the University of California, Irvine School of Law reviewed Josephine Wolff’s, “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks” (MIT Press, 2022). Read the review, published by Lawfare, here.

**US Banks Spent $1.2B On Ransomware Payouts In 2021
U.S. financial institutions spent nearly $1.2 billion on ransomware payouts in 2021, mostly to cybercriminal groups based in Russia, in a sum that more than doubled from the prior year, U.S. Department of the Treasury officials said Tuesday, November 1, 2022.

**This stealthy hacking campaign uses a new trick to deliver its malware
Highly skilled cyber attackers are using a never-before-seen technique to stealthily infect victims with malware by abusing legitimate tools.  The campaign has been detailed by cybersecurity researchers at Symantec, who say that the attackers can spend more than 18 months inside the networks of victims, all while taking steps to ensure their activity stays under the radar to avoid detection in what’s thought to be an intelligence-gathering and espionage operation. How the attack begins is still uncertain, but victims become infected with a previously undocumented form of malware dubbed Geppei, which is used to deliver another form of backdoor malware that has been named Danfuan, which provides secret access to compromised machines, along with the ability to snoop on data stored or entered on systems.
The attackers attempt to stay under the radar by installing backdoors on appliances that didn’t support security tools, such as SANS arrays, load balancers, and wireless access point controllers. What makes this campaign unique is the way Geppei abuses Internet Information Services (IIS) logs to remain undetected, something which researchers say they’ve not seen used in attacks before.

**Democratic U.S. senator wants probe into Saudi firm’s stake in Twitter
U.S. Senator Chris Murphy (D-Conn.), Chairman of the U.S. Senate Foreign Relations Subcommittee on Near East, South Asia, Central Asia and Counterterrorism, on Monday sent a letter to the Committee on Foreign Investment in the United States (CFIUS), requesting an immediate investigation into the potential national security concerns arising from the recent takeover of Twitter, Inc. by Elon Musk and a number of foreign private investors, including members of the Saudi Arabian royal family and the kingdom of Qatar. “As you know, CFIUS has the responsibility to review transactions that could result in an American business being controlled by a foreign person. However, CFIUS must also review non-controlling investments in certain sensitive US businesses, including companies that develop critical technologies and businesses that possess sensitive personal data on US citizens. The purpose of these reviews is clear: to protect the national security interests of the United States and American citizens,” he wrote. 
Murphy called attention to Saudi Arabia’s repression of free speech and political dissent inside and outside of the Kingdom’s borders, including the brutal murder of Washington Post journalist Jamal Khashoggi. Murphy referenced allegations by federal prosecutors in 2019 that Saudi Arabia recruited Twitter employees to mine Twitter’s internal systems for personal information about known Saudi critics and thousands of other Twitter users, in violation of U.S. law. Twitter also suspended 88,000 accounts tied to a disinformation campaign backed by the Saudi government after an internal investigation. Murphy directed the committee to examine the degree to which Saudi influence over Twitter’s operations or access to user data could be used to silence critics and activists, or further state-sponsored disinformation campaigns. “In addition, federal and state government officials rely on Twitter to be a reliable medium to communicate vital information to the public. The possibility that a foreign power may now be able to influence the ability of the White House or a Governor to communicate with constituents must be thoroughly examined,” Murphy wrote. Full text of the letter is available here. See also Saudi Arabia and Qatar

 

Publication dateFacing obstacles to human intelligence operations in the West, Russia has turned to the cyber environment and other intelligence sources, including foreigners in Russia, according to the Supo’s press release of 9-29-2022 September, the National Security Overview describes this revised approach. The main intelligence gathering approach traditionally applied by the Russian intelligence services is human intelligence under diplomatic cover. This has become substantially more difficult since Russia launched its war of aggression in Ukraine, as many Russian diplomats have been expelled from the West. Even though there are still some active intelligence officers working in Finland, the Finnish government has probably severed the connections to their Russian networks, at least for the time being, and little information is available through the usual channels. Russian intelligence will probably seek to adapt its operations to these new conditions.The main intelligence gathering approach traditionally applied by the Russian intelligence services is human intelligence under diplomatic cover. This has become substantially more difficult since Russia launched its war of aggression in Ukraine, as many Russian diplomats have been expelled from the West. Even though there are still some active intelligence officers working in Finland, the Finnish government has probably severed the connections to their Russian networks, at least for the time being, and little information is available through the usual channels“We consider it highly likely that Russia will turn to the cyber environment over the winter,” explains Supo Director Antti Pelttari.

Russian and Chinese Cyber Threats

Mitigation and Recommendations:

  • Whenever possible, enable Multi-factor Authentication (MFA) on accounts. Users should not accept any MFA attempts (such as push notifications, phone calls, etc.) that they did not initiate themselves.

  • Use long, complex, and unique passwords for each account. Consider using a password manager, only for personal, non-official accounts.

  • Monitor accounts across all platforms for suspicious activity, and inspect messages for signs that they did not originate from a legitimate source. Be aware of common spear phishing lures, and exercise caution when clicking on links or attachments from external contacts. Cyber actors may compromise even known, legitimate contacts to target Department personnel.

  • Update software and apps over a secure connection to patch organizational and personal devices against known vulnerabilities.

  • Avoid connecting devices to public WiFi or public charging stations.

  • Use end-to-end encrypted messaging apps / recommendation: Signal – Signal.org 
    Signal is a well-known, secure, encrypted instant messaging service developed by the non-profit Signal Technology Foundation and Signal Messenger LLC. It uses standard cellular telephone numbers as identifiers and all communications between Signal users are secured with end-to- end encryption. Staff of public and private organisations, including senior management, may be using Signal sometimes to quickly coordinate and exchange information on work-related matters. Signal groups may also have been set up for business continuity reasons in case corporate instant messaging tools become unavailable. This March 3, 2022 document provides clear and pragmatic recommendations for hardening the configuration of Signal apps.

  • Use a paid VPN service based in a trusted country on personal devices / recommendation: ProtonVPN – ProtonVPN.com
    Proton recently 
    announced Stealth! Stealth! is their new, undetectable VPN protocol that can bypass most firewalls and VPN blocking methods. Stealth! allows users to bypass advanced VPN blocks, access censored sites, and communicate with people on social media, even on restricted networks.
    The best part of Stealth! is that it utilises advanced obfuscation techniques to make VPN traffic look like normal internet traffic, making it extremely difficult for a network operator to detect that you are using a VPN service. Stealth! is also compatible with Proton VPN’s VPN accelerator technology that provides up to 400% faster speeds. Stealth! is supported on all of Proton’s 1,828 servers in 64 countries. It is available now on iOS, macOS and Android.

  • System owners and network administrators should consider the following mitigations for non-enterprise managed networks:

    • Continuously monitor identity management environments for anomalous activity; review identity and access management policies; and audit for misconfigurations. Monitor successive failed login attempts across multiple users’ accounts.

    • Incorporate indicators of compromise (IOCs) to block known malicious infrastructure, websites, and malware. Check logs for known C2 patterns, and implement IP filtering.

    • Phase out legacy authentication protocols, and replace with solutions using modern authentication. Require, enable, and enforce MFA to access accounts and resources.

    • Continue testing and deploying patches enterprise-wide as quickly as possible, to mitigate potential exploitation.

    • Use email filtering; for example, prevent users from receiving EXE files, or disable links and attachments in email messages originating from outside the organization.

    • Close unused ports on internet-facing servers and devices.

    • Passwords for all accounts, especially for those with elevated privileges, should be strong and unique (at least 16 characters long), and should not be reused for other accounts. Ensure that default passwords are changed on all hardware and devices.

    • Ensure that credentials for enterprise systems and accounts are not stored in unsecured locations, such as file servers, email inboxes, cloud shares, or SharePoint libraries.

    • Ensure that network and system logging is enabled, including web logs for internet-facing resources.

    • Apply the principle of least privilege on all enterprise accounts, especially those with elevated privileges (e.g., administrative or service accounts).

The complexity of the PRC threat means that recommendations for personnel in China go beyond standard mitigation tactics. We recommend that all personnel traveling to or living in the PRC consider the following standard precautions: 

  • Avoid connecting any device to personal or home networks upon return if the device has been to the PRC, including brief stops at airports for flight transfers. 

  • Use VPNs or internal organizational networks for any sensitive business, to include financial transactions, healthcare, and other handling of personal or proprietary information.

  • Maintain physical control of mobile devices and the associated charging equipment whenever possible, especially in foreign government buildings.

  • Use electrical outlets to charge mobile devices and avoid using USB ports, even on-premises at a private-sector facility.

  • Turn over any external media received as “gifts” or found on-premises to a security manager.

 

CEPA Report: Russian Warfare

Long before Putin’s invasion of Ukraine, the Kremlin, Russian security agencies, and their criminal networks had been successfully using complex cyber operations to exploit systemic vulnerabilities both in the West and closer to home for their own gain. However, the absence of significant cyberattacks in Ukraine has raised questions about how well we really understand how Russia’s cyber forces are organized.By delving into the history and evolution of Russia’s cyber actors, the Russian cyber landscape, and the intricate web of those working on behalf of the Kremlin, this report reveals a remarkably fluid and informal Russian cyberspace. In addition, it provides a roadmap for how governments, civil society, and businesses can interpret and navigate this digital landscape and prepare more resilient cybersecurity and defenses for the future. This new report (September 8, 2022) is part of CEPA’s ongoing (CEPA) work on Russia’s cyber operations and below-threshold threats. The Center for European Policy Analysis  is a nonpartisan, nonprofit, public policy institution, based in Washington, DC.

 

 

Iran Cyber Threat Overview and Advisories

This page provides an overview of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) assessment of the Iranian government’s malicious cyber activities. The overview leverages publicly available, open-source intelligence and information regarding this threat. This page also includes a complete list of related CISA publications, many of which are jointly authored with other U.S. government agencies (Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to Iranian government actors). Additionally, this page provides instructions on how to report related threat activity.

US bolsters cyber alliance to counter rising Iran threat / On the sidelines of U.S. President Joe Biden’s visit to the kingdom of Saudi Arabia on July 15-16 2022, the Saudi National Cybersecurity Authority (NCA) announced the signing of a Memorandum of Understanding for Cybersecurity Cooperation with the U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA). This MoU, a move experts see as a direct response to the rising digital threat from Iran, aims to promote bilateral cooperation in the field of cybersecurity to safeguard the cyberspace and vital interests in the Kingdom of Saudi Arabia and the USA.

Ransomware

Ransomware infections occur in different ways, such as through insecure and fraudulent websites, software downloads and malicious attachments. Anyone can be a target – individuals and companies of all sizes. Fortunately, there are ways for you to be prepared and reduce the likelihood of finding yourself in front of a locked laptop or encrypted file. You can significantly reduce the chances of infection by applying security steps and paying attention online.

ENISA’s July 29, 2022 report (“Threat Landscape for Ransomware Attack”) aims to bring new insights into the reality of ransomware incidents through mapping and studying ransomware incidents from May 2021 to June 2022. Based on the findings, ransomware has adapted and evolved, becoming more efficient and causing more devastating attacks. The European Union Agency for Cybersecurity (ENISA) is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

The following EUROPOL guideline for regular users and mitigation steps for businesses will help you stay alert and ready. The guidelines also include steps to take if your device or system becomes infected.

NIST, the National Institute of Standards and Technology, has also published a more detailed fact sheet on how to stay prepared against ransomware attacks. You can find this material and more on ransomware at the NIST and CISA websites. These materials were produced by staff members in NIST’s Information Technology Laboratory and National Cybersecurity Center of Excellence.

September 8, 2022: CISA/FBI Alert (AA22-249A) #StopRansomware  
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSAto disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. The joint CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

——

Infected… what to do next?

  1. Always visit www.nomoreransom.org to check whether you have been infected with one of the ransomware variants for which there are decryption tools available free of charge.

  2. Don’t pay the ransom! You will be financing criminals and encouraging them to continue their illegal activities.

  3. Report it to your national police. The more information you provide, the more effectively law enforcement can disrupt the criminal enterprise.

National Security Agency Cybersecurity Technical Report

The National Security Agency (NSA) has released a new report in March 2022, that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. 

‘;–have i been pwned? (HIBP)

HaveIBeenPwned (HIBP), is the free service for tracking credentials stolen and/or leaked through past data breaches. 

Check if your email or phone is in a data breach.

Check if your passwords have been leaked in previous breaches.

Hardening Signal (CERT-EU Team)

Signal is a well-known, secure, encrypted instant messaging service developed by the non-profit Signal Technology Foundation and Signal Messenger LLC. It uses standard cellular telephone numbers as identifiers and all communications between Signal users are secured with end-to- end encryption. Staff of public and private organisations, including senior management, may be using Signal sometimes to quickly coordinate and exchange information on work-related matters. Signal groups may also have been set up for business continuity reasons in case corporate instant messaging tools become unavailable. This March 3, 2022 document provides clear and pragmatic recommendations for hardening the configuration of Signal apps.

Cyber Incidents

The biggest data breaches, hacks of 2021 (ZDNet)
Here are some of the most notable security incidents, cyberattacks, and data breaches over 2021. 

Significant Cyber Incidents since 2006 (CSIS)
This timeline from the Center for Strategic and International Studies records significant cyber incidents since 2006, with a focus on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars. CSIS is one of the world’s preeminent, bipartisan and nonprofit international policy institutions. They focus on defense and security, regional study, and transnational challenges ranging from energy and trade to global development and economic integration.

Below is a summary of incidents during the month of September 2022. October 2022 will follow soon when available. For the full list, click here.

  • September 2022. Hackers targeted Montenegro’s government networks, rendering Montenegro’s main state websites and government information platforms inaccessible. Montenegrin officials blamed Russia for the attack.
  • September 2022. Hackers targeted the state-level parliamentary website of Bosnia and Herzegovina, rendering the sites and servers inaccessible for multiple weeks.
  • September 2022. China accused the U.S. National Security Agency (NSA) of numerous cyberattacks against China’s Northwestern Polytechnical University. Authorities claim the NSA stole user data and infiltrated digital communications networks.
  • September 2022. The group Anonymous took responsibility for a series of cyberattacks against the Iranian government that took down two main Iranian government websites and the websites of several state media organizations.
  • September 2022. Hackers targeted the Mexican Defense Ministry and accessed six terabytes of data, including internal communications, criminal data, and data that revealed Mexico’s monitoring of Ken Salazar, the U.S. Ambassador to Mexico. Mexican President Andres Manuel Lopez Obrador confirmed the authenticity of the data, including personal health data released to the public.
  • September 2022. A Russian-based hacking group targeted the website of the United Kingdom’s intelligence agency MI5 with a DDoS attack that temporarily took the site offline.

Cybersecurity Incident & Vulnerability Response Playbooks (CISA)
The Cybersecurity and Infrastructure Security Agency (CISA) released the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Produced in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” the playbooks provide federal civilian agencies with a standard set of procedures to respond to vulnerabilities and incidents impacting Federal Civilian Executive Branch networks.  “The playbooks we are releasing today are intended to improve and standardize the approaches used by federal agencies to identify, remediate, and recover from vulnerabilities and incidents affecting their systems,” said Matt Hartman, Deputy Executive Assistant Director for Cybersecurity. “This important step, set in motion by President Biden’s Cyber Executive Order, will enable more comprehensive analysis and mitigation of vulnerabilities and incidents across the civilian enterprise. We encourage our public and private sector partners to review the playbooks to take stock of their own vulnerability and incident response practices.” The Incident Response Playbook applies to incidents that involve confirmed malicious cyber activity and for which a major incident has been declared or not yet been reasonably ruled out.  The Vulnerability Response Playbook applies to any vulnerability that is observed to be used by adversaries to gain unauthorized entry into computing resources. This playbook builds on CISA’s Binding Operational Directive 22-01 and standardizes the high-level process that should be followed when responding to these vulnerabilities that pose significant risk across the federal government, private and public sectors. 
Building on lessons learned from previous incidents and incorporating industry best practices, CISA intends for these two playbooks to strengthen cybersecurity response practices and operational procedures not only for the federal government, but also for public and private sector entities. The playbooks contain checklists for incident response, incident response preparation, and vulnerability response that can be adapted to any organization to track necessary activities to completion. 

Recent Cybersecurity Alerts (CISA)

These 2022 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2021 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2020 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2019 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2018 alerts provide timely information about current security issues, vulnerabilities, and exploits.

——

News (July / October 2022)

** What Impact, if Any, Does Killnet Have?
On October 4, 2022, a cryptic message first appeared in the Telegram forum We Are Killnet, hosted by the pro-Russian hacktivist collective Killnet, and spread quickly across Twitter. The message roughly translates to: “Weather forecast for 7 days! 14:00 USA—A L4 level flood is expected throughout the United States. 16:00 USA—All Tax web resources are experiencing difficulties in performance.” A clever play on words, the message implied that Killnet was planning a series of distributed denial of service (DDoS) attacks—also called floods—against U.S. government websites over a 72-hour time period. The group dubbed its operation “USA Offline” and paired its cyber-doom narrative with an image of Lady Liberty backlit by a fiery mushroom cloud. On Twitter and Telegram, Killnet and its followers were signaling that a catastrophic cyber event designed to cripple U.S. networks was forthcoming.

Killnet’s “USA Offline” DDoS operation (https://t.me/killnet_reservs/2939)

And then, nothing really significant happened. For the next few days, Killnet conducted DDoS attacks against a series of U.S. targets, including the National Geospatial-Intelligence Agency, state government websites, military health care and benefit-related websites (such as Tricare Online), airport websites, and JPMorgan Chase. But these attacks had little, if any, effect. For instance, after targeting U.S. state websites, the group self-reported that their DDoS “control went down” and lamented that states “just fixed everything.” The attacks against Tricare Online rendered services unavailable for a few minutes—a stark contrast to the ominous 30-second video announcing the attack, which concludes with a short clip of a U.S. service member kneeling and crying. Similarly, the DDoS against U.S. airport websites had no impact on airport operations or flights but did prevent users from accessing some sites for sustained periods of time. The New York Port Authority noted that LaGuardia Airport’s website suffered intermittent delays for roughly 15 minutes but that “airport [and Port Authority] operations were never disrupted by the 3 a.m. cyberattack.” And, lastly, JPMorgan indicated that it did not experience any issues related to Killnet’s DDoS.
This raises a puzzling question: What was the point of all of this? More here in LAWFARE of October 21, 2022.

**Two Men Sentenced for Nationwide Scheme to Steal Social Media Accounts and Cryptocurrency
Two Massachusetts men were sentenced today for an extensive scheme to take over victims’ social media accounts and steal their cryptocurrency using techniques such as “SIM swapping,” computer hacking, and other methods. Eric Meiggs, 24, of Brockton, was sentenced to two years and one day in prison. Declan Harrington, 22, of Beverly, was sentenced to two years and seven days in prison.According to court documents, Meiggs and Harrington targeted executives of cryptocurrency companies and others who likely had significant amounts of cryptocurrency and those who had high value or “OG” (slang for Original Gangster) social media account names. Meiggs and Harrington conspired to hack into and take control over these victims’ online accounts so they could obtain things of value, such as cryptocurrency. They used an illegal practice known as “SIM-swapping” and other techniques to access, take control of, and in some cases steal cryptocurrency from, the accounts. In “SIM swapping”, cybercriminals convince a victim’s cell phone carrier to reassign the victim’s cell phone number from the SIM card (Subscriber Identity Module card) inside the victim’s cell phone to the SIM card inside a cell phone controlled by the cybercriminals. Cybercriminals then pose as the victim with an online account provider and request that the provider send account password-reset links or an authentication code to the SIM-swapped device now controlled by the cybercriminals. The cybercriminals can then reset the victim’s account log-in credentials and use the log-in credentials to access the victim’s account without authorization, or “hack into” the account. More in the DOJ Press Release of October 19, 2022.

**This ‘thermal attack’ can read your password from the heat your fingertips leave behind
Computer security researchers say they’ve developed an AI-driven system that can guess computer and smartphone passwords in seconds by examining the heat signatures that fingertips leave on keyboards and screens when entering data.  Called ThermoSecure, researchers at the University of Glasgow’s School of Computing Science developed the system to show how the falling price of thermal-imaging cameras and increasing access to machine-learning and artificial intelligence (AI) algorithms are creating new opportunities for what they describe as thermal attacks. By using a thermal-imaging camera to look at a computer keyboard, smartphone screen or ATM keypad, it’s possible to take a picture that reveals the recent heat signature from fingers touching the device. The brighter the area appears in the thermal image, the more recently it was touched – meaning that the image could be used to crack a password or pin code by analyzing where the keyboard or screen was touched, and when. 
Earlier research by the University of Glasgow into thermal attacks has suggested that humans without expertise can guess passwords by looking at thermal images, and now – by adding artificial intelligence – passwords could be cracked even faster by specialist attackers. More in the article “AI-Driven ‘Thermal Attack’ System Reveals Passwords in Seconds, published by the University of Glasgow on October 10, 2022. 

A thermal image showing heat traces left by fingertips on a keyboard, which researchers say could be used to crack passwords. Image: University of Glasgow

**Finnish Security and Intelligence Service (Supo): “Russian intelligence changes approach”
Finland intelligence Russia The main intelligence gathering approach traditionally applied by the Russian intelligence services is human intelligence under diplomatic cover. This has become substantially more difficult since Russia launched its war of aggression in Ukraine, as many Russian diplomats have been expelled from the West. Even though there are still some active intelligence officers working in Finland, the Finnish government has probably severed the connections to their Russian networks, at least for the time being, and little information is available through the usual channels. 
Russian intelligence will probably seek to adapt its operations to these new conditions“We consider it highly likely that Russia will turn to the cyber environment over the winter,” explains Supo Director Antti Pelttari.

**FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework
Businesses engaged in activities involving personal data transfers from the European Union to the United States will be interested in an executive order President Biden signed on October 7, 2022, that is intended to implement U.S. commitments under the Trans-Atlantic Data Privacy Framework (DPF) announced in March and strengthen the legal foundation for trans-Atlantic data flows. 

**Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records
A federal jury convicted Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. (“Uber”), of obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover-up of a 2016 hack of Uber. The announcement was made on October 5, 2022, by United States Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp following a four week trial before the Hon. William H. Orrick, United States District Judge. “Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
See also the August 20, 2020 article in the New York Times ( “Former Uber Security Chief Charged With Concealing Hack: Joe Sullivan, who led Uber’s security team through the company’s most tumultuous period, was fired by the company’s newly installed chief executive in 2017.”)

Credit Peter Adams, via the NYT
Publication dateFacing obstacles to human intelligence operations in the West, Russia has turned to the cyber environment and other intelligence sources, including foreigners in Russia, according to the Supo’s press release of 9-29-2022 September, the National Security Overview describes this revised approach. The main intelligence gathering approach traditionally applied by the Russian intelligence services is human intelligence under diplomatic cover. This has become substantially more difficult since Russia launched its war of aggression in Ukraine, as many Russian diplomats have been expelled from the West. Even though there are still some active intelligence officers working in Finland, the Finnish government has probably severed the connections to their Russian networks, at least for the time being, and little information is available through the usual channels. Russian intelligence will probably seek to adapt its operations to these new conditions.The main intelligence gathering approach traditionally applied by the Russian intelligence services is human intelligence under diplomatic cover. This has become substantially more difficult since Russia launched its war of aggression in Ukraine, as many Russian diplomats have been expelled from the West. Even though there are still some active intelligence officers working in Finland, the Finnish government has probably severed the connections to their Russian networks, at least for the time being, and little information is available through the usual channels“We consider it highly likely that Russia will turn to the cyber environment over the winter,” explains Supo Director Antti Pelttari.

**Canadian National Sentenced in Connection with Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms
On October 4, 2022, a Canadian man was sentenced to 20 years in prison and ordered to forfeit $21,500,000 for his role in NetWalker ransomware attacks. The Court will order restitution at a later date.

**Landmark U.S.-UK Data Access Agreement Enters into Force
The Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime (“Data Access Agreement” or “Agreement”) entered into force on Monday, October 3, 2022. The Agreement is authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a law enacted by Congress in 2018, and will be the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime in a way that is consistent with privacy and civil liberties standards.

**Chinese hacking group targeting US agencies and companies has surged its activity, analysis finds
An elite Chinese hacking group with ties to operatives indicted by a US grand jury in 2020 has surged its activity this year, targeting sensitive data held by companies and government agencies in the US and dozens of other countries, according to an expert at consulting giant PWC.

**Hackers are testing a destructive new way to make ransomware attacks more effective
Ransomware hackers are experimenting with a new kind of attack that, instead of encrypting data, outright destroys it. The aim is to make it impossible for victims to retrieve their data if they don’t pay the ransom. Ransomware is one of the biggest cybersecurity issues facing the world today, and while many victims refuse to give in to the extortion, many feel they have no choice but to pay up for a decryption key. But according to cybersecurity researchers at least one ransomware group is testing ‘data destruction’ attacks. More in this ZDNET article.

**Senate Intelligence Committee Releases Bipartisan Report Detailing Foreign Intelligence Threats
U.S. counterintelligence efforts are failing to keep pace with espionage, hacking and disinformation threats, according to a Senate report released on September 20, 2022. The bipartisan report by the Senate Intelligence Committee says that U.S. spy agencies are poorly equipped to combat threats from major powers such as China, transnational criminal organizations and ideologically motivated groups. These varied groups target not just U.S. national security agencies, but also other government departments, the private sector and academia in search of secret or sensitive data. The report, which is partially redacted, focuses on the little-known National Counterintelligence and Security Center, whose mission is to lead counterintelligence across the U.S. government. The center doesn’t have sufficient funding or authority, nor a clear mission, the Senate report says. 

**Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior 
The number of cyber operations launched from Russia over the last few years is astounding, ranging from the NotPetya malware attack that cost the global economy billions, to the SolarWinds espionage campaign against dozens of US government agencies and thousands of companies. Broad characterizations of these operations, such as “Russian cyberattack,” obscure the very real and entangled web of cyber actors within Russia that receive varying degrees of support from, approval by, and involvement with the Russian government.
The Atlantic Council’s Cyber Statecraft Initiative issue brief describes the large, complex, and often opaque network of cyber actors in Russia, from front companies to patriotic hackers to cybercriminals. It analyzes the range and ambiguity of the Russian government’s involvement with the different actors in this cyber web, as well as the risks and benefits the Kremlin perceives or gets from leveraging actors in this group. The issue brief concludes with three takeaways and actions for policymakers in the United States, as well as in allied and partner countries: focus on understanding the incentive structure for the different actors in Russia’s cyber web; specify the relationship any given Russian actor has or does not have with the state, and calibrate their responses accordingly; and examine these actors and activities from Moscow’s perspective when designing policies and predicting the Kremlin’s responses.

**Justice Department Announces Report on Digital Assets and Launches Nationwide Network
Sep 16, 2022: The Department of Justice today announced significant actions regarding digital assets, including the public release of its report, pursuant to the President’s March 9 Executive Order on Ensuring Responsible Development of Digital Assets,  on The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets; and the establishment of the nationwide Digital Asset Coordinator (DAC) Network, in furtherance of the department’s efforts to combat the growing threat posed by the illicit use of digital assets to the American public.

**Data Security at Risk: Testimony from a Twitter Whistleblower (Full Committee Hearing)
Twitter whistleblower Peiter Zatko told the Senate Judiciary Committee on Tuesday, September 13, 2022, that Twitter lacks the resources and motivation to search for and remove foreign intelligence threats within its operations. In his testimony, Zatko revealed how Twitter had received a specific warning from the FBI that the company may have had one or more Chinese spies within its ranks. The explosive detail linking the U.S. government warning to China had not been a part of Zatko’s publicly reported disclosure to the U.S. government. It remains unclear whether Twitter acted on the tip, but Zatko told Sen. Chuck Grassley that he and others inside Twitter understood that the company was a target for foreign intelligence agencies.

Peiter Zatko is before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13, 2022 (Sarah Silbiger for CNN)

**Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities The United States has imposed sanctions on Iran’s Ministry of Intelligence and Security (MOIS) as well as its Minister of Intelligence Esmail Khatib for engaging in malicious cyber efforts against the United States and its allies since at least 2007. According to the U.S. Treasury Department’s press release, one of the most recent attacks linked to the MOIS was a July cyberattack on Albanian computer systems that required the government to temporarily stop providing online services for citizens. As a part of the sanctions regime, all property and interests in property of Khatib and MOIS within U.S. jurisdiction are blocked, and “U.S. persons are generally prohibited from engaging in transactions with them.”

**Lloyd’s to Exclude Catastrophic Nation-Backed Cyberattacks From Insurance Coverage
By 2023, insurer groups must add clauses to cyber policies excluding state-backed hacks that severely affect target nation’s infrastructure, insurance marketplace says. Lloyd’s of London Ltd. will require its insurer groups globally to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies starting next year.  Lloyd’s is a marketplace where roughly 75 syndicates of underwriters congregate to provide insurance coverage for businesses, organizations and individuals. As of March 31, when coverage begins or is renewed, syndicates must exclude state-backed cyberattacks from policies that protect against physical and digital damage caused by hacks, Underwriting Director Tony Chaudhry said in a bulletin dated Aug. 16, 2022.

**EU Cyber Proposal a Move in the Right Direction, But Should Avoid Protectionism
The EU’s recent move to update and harmonize the bloc’s government information security standards is an appropriate response to protect the increasing amounts of information that the public sector attains and shares. Though it gets most things right, the EU should drop its protectionist provisions requiring certain data to be stored locally. The EU’s threat landscape has become vast: Each of the Union’s institutions, bodies, agencies, and offices is spread across 27 countries and acts as a potential vector for a security breach. Several of the aims of the proposal to set up an EU-wide information security scheme are laudable attempts to reduce exposure and mitigate risks, including inter-institution cooperation and governance, a common approach to categorization, modernized standards for remote work, and greater compatibility between systems. Unfortunately, a key provision, Article 17(1)(c), misguidedly requires that sensitive non-classified (SNC) information, defined as data that must be protected due to legal obligations or harm that may be caused, should be “stored and processed in the EU.” Center for Data Innovation, August 26, 2022.

**Former security chief claims Twitter buried ‘egregious deficiencies’
Twitter: Peiter "Mudge" Zatko, the whistleblower who knew too much - Teller  ReportA former executive at Twitter said the company misrepresented its cybersecurity capabilities to the Federal Trade Commission and its board of directors. Peiter Zatko, a well-known hacker and Twitter’s former head of security, said that executives at the company failed to properly notify directors of data breaches and security vulnerabilities on the platform. The complaint made by Zatko also accused company executives of focusing on growth to the detriment of addressing spam. Zatko was fired by Twitter’s CEO in January due to what the company described as “ineffective leadership and poor performance.” See also “Mudge Blows Whistle on Alleged Twitter Security Nightmare” (DarkReading, August 23, 2022). Twitter’s former chief security officer is set to testify before the Senate Judiciary Committee next month. The hearing, announced for Sept. 13, is the first of likely numerous investigations expected by Congress in the coming months, as lawmakers probe the implications of the cybersecurity vulnerability claims Peiter Zatko made against his former employer.

**Developer Arrested Following OFAC Sanctions of Tornado Cash Protocol
Just days after OFAC issued sanctions against virtual currency mixer Tornado Cash, Dutch authorities arrested the protocol’s alleged developer on August the 10th, 2022. In a press release, the Treasury Department alleged that since 2019, Tornado Cash had been used to launder more than $7 billion in cryptocurrency, including more than $455 million stolen in the largest decentralized finance (DeFi) hack to date, on the Ronin Network, carried out by the North Korean-backed cybercrime syndicate the Lazarus Group. Dutch authorities have not released the identity of the developer and have not ruled out the possibility of further arrests related to Tornado Cash.

**John Scott-Railton Delivers Testimony to House Permanent Select Committee on Intelligence 

On July 27, 2022, Citizen Lab senior researcher John Scott-Railton was asked to appear before the House Permanent Select Committee on Intelligence. He was invited to provide expert testimony on a hearing devoted to combating threats to U.S. national security from the proliferation of foreign commercial spyware. The written submission of that testimony is here.