Monday, April 11, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco
At small and rural hospitals, ransomware attacks are causing unprecedented crises
FROM THE MEDIA: At 12:08 p.m. on a Monday, a Sky Lakes Medical Center employee tapped an email link. Within minutes, that click cracked open the Oregon hospital’s digital infrastructure for cybercriminals to infiltrate. By the time IT staff started looking into it, “everything was being encrypted,” said John Gaede, director of information services. On a note discovered in a server, the attackers announced the 100-bed Klamath Falls hospital had been hit with ransomware. “None of us have ever experienced anything like this,” Gaede said. The ramifications were sweeping. Sky Lakes serves a 10,000-square-mile area in rural southern Oregon; the next closest hospital is 72 miles to the west, 140 miles to the north, 100 miles to the east or 100 miles south. In other words, Gaede said, “We are the sole provider of care.” And at the time of the attack, October 2020, the hospital was battling its first local surge of Covid-19. Hospital officials quickly decided on the most extreme counter-response: powering down about 2,500 devices and more than 600 servers, Gaede said. “Anything that had a computer in it, we shut it off.”
READ THE STORY: Stat
The Register masks fact that CIA-backed firm behind power grid claim
FROM THE MEDIA: A report accusing China of conducting attacks on India's power grid has been attributed to a cyber-security firm named Insikt Group, by the British website, The Register. But no such firm exists; Insikt Group is a part of the threat intelligence firm Recorded Future which has been funded in part by the CIA's investment arm, In-Q-Tel. The report in question is here. I pointed this out in the comments section for the article — after first identifying myself as a technology journalist and elaborating on why I was making the comment — and left my comment there. A while later, I found that the comment had been deleted. That was two days ago and it looks like The Register wants to hide the fact that it was pushing a report from a CIA-sponsored unit. Or perhaps it did not want to have mud on the face of its reporter, Laura Dobberstein. This is the second time that Recorded Future is making this claim; the first time was in 2021. However, at that time the claim was extremely tenuous; as I wrote: "Recorded Future takes more than one step backward, citing characteristics of other China-related groups (related? linked?) before saying: 'Despite some overlaps with previous groups, Insikt Group [the fancy name for its research wing] does not currently believe there is enough evidence to firmly attribute the activity in this particular campaign to an existing public group and therefore continues to track it as a closely related but distinct activity group, RedEcho'."
READ THE STORY: iT Wire
The U.S. opens a risky new front in cyber defense
FROM THE MEDIA: A U.S. operation to secretly remove malware from networks at home and overseas highlights the new front Washington is opening in its approach to global cyber defense. It's a much-needed strategy, but one that ought to be handle delicately if the U.S. is to maintain the cooperation necessary to keep pulling off such sneaky maneuvers. The U.S. and its allies found malicious code developed and planted by Russia's military intelligence agency, the GRU, in thousands of devices worldwide, Attorney General Merrick Garland revealed Wednesday. The U.S. and other nations have been on the alert for the possibility that Russia would conduct cyberattacks on businesses or critical infrastructure to retaliate against sanctions over the war in Ukraine. But the mission disclosed this week went further than identifying where malware had turned up. According to the New York Times, secret court orders allowed the U.S. to remove the malicious software from Russian control by taking steps that included entering corporate networks without the companies' knowledge. It's a big shift from the time when Western governments mainly portrayed themselves as victims of hacking, incapable or unwilling to counter cyber threats by intruding into foreign systems. The new proactive approach, including publicizing what authorities are doing to try to preempt attacks, reflects the realities of modern cyber warfare.
READ THE STORY: Post Gazette
FIN7 Pen Tester Gets Five Years Behind Bars
FROM THE MEDIA: A Ukrainian man has been jailed in the US for five years after working for infamous financial crime group FIN7. Denys Iarmak, 32, was arrested in Bangkok in November 2019 and extradited to the US, where he pleaded guilty last November to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. He was accused of working as a pentester for FIN7 (aka Carbanak Group), which reportedly stole over 20 million credit card records from more than 6500 point-of-sale (POS) terminals at thousands of US businesses since 2015. These attacks, some of which were also targeted at organizations outside the US, including those in the UK, France and Australia, are said to have cost in excess of $1bn. The restaurant, gambling and hospitality industries were singled out for special treatment by the group, with popular chain businesses including Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli all impacted. Attacks were fairly simple in their execution: phishing emails loaded with booby-trapped attachments were targeted at corporate employees, with the group often following up via phone to make sure victims downloaded the malware. The resulting stolen data was put up for sale on carding sites, according to the Department of Justice (DoJ).
READ THE STORY: Info Security
Russian cyberattacks target Romania
FROM THE MEDIA: We want to turn now to another potential front for the war in Ukraine - cyberspace. Russia has employed cyber warfare tactics for some time now, and analysts say the conflict in Ukraine could also escalate online to include attacks affecting multiple countries. NPR cybersecurity correspondent Jenna McLaughlin interviewed the head of Romania's new National Cyber Security Directorate about what he's seeing, and she's with us now to tell us more. Jenna, welcome. Thanks for joining us. JENNA MCLAUGHLIN, BYLINE: Of course. Hi, Michel. MARTIN: So we've been hearing a lot about possible spillover from the war in Ukraine, including the chance for cyberattacks against U.S. businesses in retaliation for sanctions. But Romania has actually been seeing some of those impacts firsthand. Can you just tell us about that? MCLAUGHLIN: Absolutely. So I spoke with Dan Cimpean, who leads Romania's civilian cybersecurity agency. It's basically the equivalent of the Department of Homeland Security's CISA. And he broke down the last two months for me. He said that they've detected an increase of 120 times the rate of malicious cyberactivity as compared to normal. Now, that includes a pretty big range of malicious activity. It's everything from bad actors scanning for vulnerable devices all the way up to actual intrusions, attacks against mail servers as well as discovering malware that's been linked to Russia and specific Russian hacking groups. Actually, on the same day that Romanian officials met with French officials at a NATO base and condemned the war in Ukraine, a large oil and gas company in Romania was hit by a cyberattack, and lots of their data was encrypted, disrupting operations temporarily.
READ THE STORY: NPR
The Russia-Ukraine war – A Twitter War?
FROM THE MEDIA: With Russia spreading propaganda and Ukraine appealing to social- media platforms to ban its usage in the Russian state, the spread of misinformation has increased rampantly. Twitter as a platform has been used by politicians, celebrities and companies to call- out Russia and users have urged the abandonment of Twitter’s operations and services in the region. Twitter allows viewers to express their thoughts freely on the platform with hashtags promoting people to join the pro-Ukraine movement. With Twitter, the information is widespread and quick. However, the Russia- Ukraine war is not the first one which has gained an international audience. Local uprisings during the Arab Spring of 2010, notably in Egypt and Tunisia, were one of the first international issues involving rampant use of social media. After that, the Russia-Ukraine war of 2022 is the major global event to receive international attention and quick- action. The role of social media is to majorly promote prompt actions from the concerned authorities in lieu of humanitarian rights. But the plethora of information available on the Internet has made it difficult to sort the reel and real, while posing a challenge in finding the truth.
READ THE STORY: Modern diplomacy
FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence Directorate
FROM THE MEDIA: According to US authorities, the Cyclops Blink botnet was controlled by the Russian Federation’s Main Intelligence Directorate (GRU) and had compromised thousands of devices worldwide. A court-authorized operation against a Russian-controlled botnet infecting hardware devices with Cyclops Blink malware was launched in March 2022 after its detection in February 2022. The UK and US authorities tracked its operators as the infamous Sandworm group, supposedly affiliated with the Russian GRU’s Main Center for Special Technologies. This group was previously linked to several destructive attacks, such as the infamous NotPetya attack in 2017 and the BlackEnergy campaign in 2015, where Ukraine’s power plants were targeted. Cyclops Blink is a modular malware believed to be the successor of the VPNFilter botnet. The malware infects internet-connected devices through malicious firmware updates. It currently targets ASUS and WatchGuard devices. Cyclops Blink maintains persistence via the legitimate device firmware update process that’s directly linked to APT groups affiliated with the Russian government.
READ THE STORY: Hackread
How Meta fumbled propaganda moderation during Russia's invasion of Ukraine
FROM THE MEDIA: Days after the March 9 bombing of a maternity and children's hospital in the Ukrainian city of Mariupol, comments claiming the attack never happened began flooding the queues of workers moderating Facebook and Instagram content on behalf of the apps' owner, Meta Platforms. The bombardment killed at least three people, including a child, Ukraine's President Volodymyr Zelenskiy said publicly. Images of bloodied, heavily pregnant women fleeing through the rubble, their hands cradling their bellies, sparked immediate outrage worldwide. Among the most-recognized women was Mariana Vishegirskaya, a Ukrainian fashion and beauty influencer. Photos of her navigating down a hospital stairwell in polka-dot pajamas circulated widely after the attack, captured by an Associated Press photographer.
Online expressions of support for the mother-to-be quickly turned to attacks on her Instagram account, according to two contractors directly moderating content from the conflict on Facebook and Instagram. They spoke to Reuters on condition of anonymity, citing non-disclosure agreements that barred them from discussing their work publicly. The case involving the beauty influencer is just one example of how Meta's content policies and enforcement mechanisms have enabled pro-Russian propaganda during the Ukraine invasion, the moderators told Reuters.
READ THE STORY: Economic Times
Understanding global disinformation and information operations
FROM THE MEDIA: A new website launched by ASPI’s International Cyber Policy Centre is designed to identify nations using deception operations to manipulate potential adversaries, and their own populations. The Understanding Global Disinformation and Information Operations website provides a visual breakdown of the publicly available data from state-linked information operations on social media. ASPI’s information operations and disinformation team has analysed each of the datasets in Twitter’s information operations archive to provide a longitudinal analysis of how each country’s willingness, capability and intent has evolved over time. Our analysis demonstrates that there’s a proliferation of state actors willing to deploy information operations targeting their own populations, as well as those of their adversaries. Russia, Iran, Saudi Arabia, China and Venezuela are the most prolific perpetrators. By making these complex datasets available in accessible form, ASPI is broadening meaningful engagement on the challenge of state actor information operations and disinformation campaigns for policymakers, civil society and the international research community. Since October 2018, Twitter has released the tweets, media and details of associated accounts that the social network believes were part of state-linked information operations. The datasets originated from 17 countries, including the usual suspects Russia, China and Iran, but also Armenia, Bangladesh, Cuba, Ecuador, Egypt, Honduras, Indonesia, Serbia, Spain, Thailand, Turkey, the United Arab Emirates and Venezuela.
READ THE STORY: ASPI Strategist
ZDNet falsely links countries to threats, claims Dragos as source
FROM THE MEDIA: ZDNet senior reporter Danny Palmer wrote about 10 "hacking groups" and said Dragos had cited each one as being linked to a particular country. For example, he listed a group known as Parasite and said it was suspected to be linked to Iran. A second group Magnallium was "thought to be related to APT 33, a state-sponsored Iranian hacking group". But Dragos chief executive and founder Robert M. Lee told iTWire that his company only attributed intrusions to clusters or groups. "So we’d say 'that’s XENOTIME', but not talk about attribution ie. it’s Russia," he added. Palmer listed the 10 groups, starting his list with, "According to Dragos, the most active threat groups targeting critical infrastructure are..." and then listing the country to which each was claimed to be linked to. Said Lee: "We do acknowledge when governments do attribution. As an example, on XENOTIME the USG [US Government] came out in DoJ indictments and said they’re Russia; fine, the government can do that and, yes, we can acknowledge they have – but that’s not our work/assessment/etc
READ THE STORY: iTWire
UN tries again with outer-space peace treaty
FROM THE MEDIA: This was followed by resolutions from the First Committee Disarmament and International Security and the General Assembly, which established the Open Ended Working Group on Reducing Space Threats Through Norms, Rules and Principles of Responsible Behaviors. International agreement on a peace treaty for outer space has been lacking for decades. A new working group is attempting a different path. The use of Elon Musk's Starlink satellites to bring internet connectivity to Ukraine following the Russian invasion and the cyber-attack on the Viasat network has again focused attention on the importance and vulnerability of space assets in a time of war. While Starlink helped Ukrainians communicate during the invasion, Musk warned users that the distinctive antennas could become targets for a Russian attack. The Starlink satellites, which operate in low Earth orbit, may also be legitimate targets under international law. This is only one example of the growing concern about space as a warfighting domain. A UN working group will meet for the first time next month to consider paths to peace. Space has been used for military purposes since the first communication and observation satellites were deployed in the 1950s, and the military has been deeply involved in the space programs of many nations. Weapons testing, including nuclear detonations, was conducted in space in the late '50s and '60s, raising concerns about the devastating possibilities of a war in space and its effect on Earth. Just as an exploration of space was becoming a technical possibility, we veered dangerously close to destroying ourselves and our future. This fear led to the creation of the UN Committee on the Peaceful Uses of Outer Space in 1958 and the drafting and negotiation of a 1967 agreement known as the Outer Space Treaty.
READ THE STORY: Devdiscourse
Items of interest
Chips with everything(Transcript)
FROM THE MEDIA: How Taiwan got stuck in the middle of the US-China tech rivalry.
Chad Duffy I’m based in Taipei, yeah, I’m based in Taipei. The security community here is really, you know, really deeply technical, is a really vibrant security community full of lots of just really talented software developers.
James Kynge That’s Chad Duffy. He works in cyber security. And if you want someone to stop hacking into your company’s computer system, you might call him. He’s American. But these days, he works for a company in Taiwan. Why? Well, because Taiwan is home to one of the most important technology industries in the world today: semiconductors. The computer chips you find in every phone, laptop, car and even missile system. And when you make semiconductors, sometimes people try to hack you.
Chad Duffy Job security-wise, it’s pretty amazing, really. It’s like attacking is definitely not going to stop.
James Kynge Chad’s company CyCraft is used to seeing security breaches. But towards the end of 2019, they got a call from a Taiwanese chipmaker about something completely new.
Chad Duffy Basically, they just saw, you know, some anonymous user behaviour, said, OK, you’ve discovered that like some of our files have been accessed and they came to us asking, hey, can you kind of put together this whole picture?
James Kynge What Chad and CyCraft found was a hack bigger and more sophisticated than they’d ever seen before. The hackers had burrowed deep into the chipmaker’s computer systems, staying there for months undetected, giving them free rein to move around and hoover up a gold mine of sensitive chip designs and other industry secrets.
READ THE STORY: FT
The INSANE World Of Underground Bio-Hacking (Video)
FROM THE MEDIA: Charles Morgan touches on revolutionary breakthroughs of the underground world of bio-hacking, and how they can potentially great, or disastrous.. depending on who's wielding the knowledge.
Gazprom breach by the Ukrainian hackers results in a fire (Video)
FROM THE MEDIA: Ukrainian hackers attacked Oil depot resulting in fire.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com
LikeCommentShare