Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report, Vol. 5, No. 4: Hostile Nation-State Threats Sweep The Globe

Diary of international cyber aggression Sponsored by INTRUSION

Eli Kirtman

Northport, N.Y. – Jan. 4, 2021

Hostile nation-state actors in North Korea, China, Russia, and Iran woke the globe as they leveraged the trifecta of politics, pandemic-era fears, and the stunning SolarWinds compromise to provoke cyberwar in the final quarter of 2020.

The adversary’s relentless attempts to derail U.S. elections — even after polls closed — deploying cyber-espionage, disinformation, impersonation, and intimidation tactics, stirred confusion among Americans. Leveraging our fears and vulnerabilities on the COVID-19 landscape, the threat actor wielded sophisticated cyberattacks for substantial financial returns. 

Meanwhile, the SolarWinds compromise shook the globe and reminded us that even organizations equipped with the best technologies and resources are not impervious to the dangers of cyberwar.

December

Dec. 30. U.S. Department of Defense (DOD) releases enterprise-wide data strategy to secure data management at the Pentagon. The 20-page document emphasizes operational advantage and focuses on senior leaders and warfighters who need to make better decisions, according to DOD’s chief data officer, David Spirk, who adds, “We will pay for operational advantage.” The deputy secretary of DOD, David Norquist, issued department-wide guidance around several data commandments, one of which states data must be protected with robust cybersecurity and access control.  

Dec. 29. SlashNext Threat Labs observes a flood of zero-day spear-phishing attacks targeting specific employees of companies working on COVID-19 vaccines, according to Security Boulevard. Aiming to steal sensitive account credentials, the unknown threat actor impersonates Office 365 log-in pages hosted on more than 800 spear-phishing domains.

Dec. 29. SolarWinds publishes security advisory detailing the SUNBURST and SUPERNOVA threats to its Orion Platform software. SUNBURST — a vulnerability inserted into Orion software — was previously addressed by the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-01. The sophisticated supply chain attack appears to be used in a targeted way as its exploitation requires manual intervention. Yet another malware referred to as SUPERNOVA is “separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.”

Dec. 28. The Financial Crimes Enforcement Network (FinCEN) alerts financial institutions regarding fraud, ransomware attacks, and other criminal activity related to COVID-19 vaccines and their distribution. The notice follows the U.S. Food and Drug Administration’s two emergency use authorizations for COVID-19 vaccines in the U.S. issued on Dec. 28, 2020.

Dec. 23. Cybersecurity and Infrastructure Security Agency (CISA) alerts that there are initial access vectors other than the SolarWinds Orion platform jeopardizing data security of companies across the nation. One suspected vector is the abuse of Security Assertion Markup Language (SAML) tokens. While CISA is working to confirm initial access vectors and identify any changes in behavior consistent with the adversary, it “expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”


Cybercrime Radio: Cyberwarfare Roundtable with Fortune 500 CISOs

Cybercrime Magazine’s Steve Morgan & INTRUSION’s CEO Jack Blount co-host


Dec. 22. The Institute for Security and Technology partners with experts in industry, government, law enforcement, nonprofits, cybersecurity insurance, and international organizations to launch new Ransomware Task Force (RTF). The collective initiative aims to tackle the lethal cybercrime tactic sweeping the globe. “The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise,” according to Security Magazine. RTF’s website, including full membership and leadership roles, is expected to launch in January 2021.

Dec. 21. Fox Business reports Wall Street Journal (WSJ) identifies at least 24 organizations tainted with SolarWinds’ Orion software. In addition to at least six previously identified federal agencies, the suspected Russian espionage operation has potentially compromised Cisco Systems Inc., Intel Corp., Nvidia Corp., Deloitte LLP, VMware Inc., Belkin International Inc., and other companies including hospitals and universities, according to WSJ’s analysis of internet records. The Journal says it “gathered digital clues from victim computers collected by threat-intelligence companies Farsight Security and RiskIQ and then used decryption methods to reveal the identities of some of the servers that downloaded the malicious code.”

Dec. 21. Microsoft, Cisco, GitHub, Google, LinkedIn, VMWare and the Internet Association file an amicus brief in a legal case brought by WhatsApp against a 21st-century mercenary known as the NSO Group. “A growing industry of companies called private-sector offensive actors — or PSOAs — is creating and selling cyberweapons that enable their customers to break into people’s computers, phones and internet-connected devices,” says Microsoft. “Now, one of these 21st-century mercenaries, called the NSO Group, is attempting to cloak itself in the legal immunity afforded its government customers, which would shield it from accountability when its weapons inflict harm on innocent people and businesses.” The plaintiffs believe the mercenary’s business model is dangerous and immunity would allow it and other PSOAs to continue to operate without legal rules, responsibilities or repercussions.

Dec. 18. Cybersecurity and Infrastructure Security Agency (CISA) provides supplemental guidance to mitigate the SolarWinds Orion code compromise. It includes “an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions.”

Dec. 16. U.S. Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) form a Cyber Unified Coordination Group (UCG) to coordinate a “whole-of-government response” to the SolarWinds Orion software compromise. According to CISA, “The UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities. This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.”

Dec. 14. Cybersecurity and Infrastructure Security Agency (CISA) issues Emergency Directive ordering federal civilian agencies to assess their exposure to a known compromise involving SolarWinds’ Orion products and to secure their networks against exploitation by malicious actors. “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” says Brandon Wales, CISA’s acting director. The only known mitigation measure currently available is disconnecting affected devices to prevent attackers from gaining access to network traffic management systems. The directive requires, among other actions, department-level CIOs or equivalents to submit completion reports attesting to CISA that affected devices were either disconnected or powered down.

Dec. 14. U.S. government officials and SolarWinds confirm that about 18,000 private and government users — Department of State, Department of Homeland Security, Pentagon, intelligence agencies, nuclear labs, FireEye and other Fortune 500 companies — downloaded the Russian tainted Orion software update that was originally reported by FireEye in early December. One of Russia’s premier intelligence agencies — believed to be S.V.R., a successor to the K.G.B. — embedded malicious code in the Orion software made by SolarWinds. Investigators believe the “hackers used multiple entry points in addition to the compromised Orion software update, and that this may be only the beginning of what they find,” according to The New York Times.

Dec. 13. The Trump administration acknowledged that hackers — almost certainly a Russian intelligence agency — breached key government networks at the U.S. Treasury and U.S. Commerce Departments, and potentially other national security-related agencies. Initially reported by FireEye as an attack on its “Red Team tools,” investigators believe the global campaign involved inserting malicious code into periodic updates of SolarWinds’ Orion Platform software. The Texas-based company’s products are used to manage corporate and federal networks of more than 300,000 customers, including most of the nation’s Fortune 500 firms. If the Russia connection is confirmed, it will be the most sophisticated known theft of American government data by Moscow since Russian intelligence agencies compromised email systems at the White House, State Department, and Joint Chiefs of Staff in 2014 and 2015, according to The New York Times.

Dec. 10. The U.S. President’s National Infrastructure Advisory Council submits concept of operations to the White House outlining an approach for implementing a Critical Infrastructure Command Center (CICC) to help private sector win the cyberwar against nation-states. Originally proposed in 2019, the creation of a CICC would “operationalize intelligence in a classified space with senior executives and cyber experts from most critical entities in the energy, financial services, and communications sectors working directly with intelligence analysts and other government staff.”

Dec. 10. U.S. Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center issue advisory regarding numerous reports of ransomware attacks against K-12 educational institutions. The threats compromise confidential student data and disrupt distance learning services. ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools. The reporting agencies expect these types of attacks to continue through the 2020/2021 academic year. 

Dec. 9. Threat Post reports advanced persistent threat group SideWinder mounts new phishing and malware campaign on Nepali Ministries of Defense and Foreign Affairs, Nepali Army, Afghanistan National Security Council, Sri Lankan Ministry of Defense, Presidential Palace in Afghanistan, and other entities. In addition to using legitimate-looking webmail login pages to harvest credentials, the phishing emails deliver attached malware intended to install a cyberespionage-aimed backdoor to gather sensitive information from its targets.

Dec. 8. FireEye succumbs to “the biggest known theft of cybersecurity tools” since the U.S. National Security Agency was hacked in 2016, according to The New York Times. Kevin Mandia, chief executive at FireEye, which is known for finding vulnerabilities in its clients’ systems — including the U.S. Department of Homeland Security and intelligence agencies — says the attackers “tailored their world-class capabilities specifically to target and attack FireEye” and “this attack is different from the tens of thousands of incidents we have responded to throughout the years.” The FBI’s preliminary investigation indicates an actor — likely Russian intelligence agencies — with a high level of sophistication consistent with a nation-state is responsible for the attack.

Dec. 7. U.S. National Security Agency (NSA) warns of Russian state-sponsored actors exploiting vulnerability in VMware products. Exploitation requires authenticated password-based access to the management interface of a device. NSA recommends National Security System, Department of Defense, and Defense Industrial Base network administrators patch affected systems ASAP according to VMware’s instructions (KB81754), limit accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access.

Dec. 4. The White House drafts executive order that may allow U.S. Commerce Department to prohibit U.S. cloud computing companies such as Amazon and Microsoft from partnering with foreign cloud providers that offer safe haven to hackers. The effort to thwart foreign cyberattacks could also give the agency power to ban those foreign providers from operating in the U.S., according to anonymous sources familiar with the order.

Dec. 3. IBM Security X-Force’s threat intelligence task force reveals global spear-phishing campaign targeting executives at organizations headquartered in Germany, Italy, South Korea, Czech Republic, Europe, and Taiwan. The executives are likely involved in company efforts to support a COVID-19 vaccine cold chain, which is a component of the vaccine supply chain that ensures the safe preservation of vaccines in temperature-controlled environments during storage and transportation. “The precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft,” according to the report.

Dec. 1. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation report continued cyber intrusions by advanced persistent threat actors targeting U.S. think tanks. Attackers leverage low-effort capabilities such as spear-phishing emails and exploiting vulnerable remote work tools to gain persistent access to victims that focus on international affairs or national security policy. The reporting agencies urge individuals and organizations in these sectors to immediately implement the critical steps listed in the advisory and develop network defense procedures to prevent or rapidly detect attacks.

November

Nov. 30. Microsoft Threat Intelligence Center (MSTIC) reveals how nation-state actor BISMUTH uses cryptocurrency miner techniques, which trigger only low-priority security alerts, to launch cyberespionage attacks under the radar. The Vietnamese actor is historically notorious for targeting large multinational corporations, governments, financial services, educational institutions, and human and civil rights organizations using custom and open-source tools. The group’s latest campaigns leverage Monero coin miners to target private sector and government institutions in France and Vietnam. The MSTIC blog provides technical details about the attacks and recommends mitigation strategies for building organizational resilience.

Nov. 27. INTERPOL National Central Bureau in Abuja, Nigerian Police Force, and Singapore-based cybersecurity Group-IB — collectively dubbed Operation Falcon — coordinate the arrest of three Nigerians believed to be members of organized crime group TMT. The Nigerians — Onwuka Emmanuel Chidiebere, Ikechukwu Ohanedozie, and Onuegwu Ifeanyi — allegedly launched phishing campaigns loaded with malware and spyware to infiltrate and siphon funds from companies in over 150 countries since 2017. The suspects are scheduled to be arraigned in Nigeria.

Nov. 23. U.S. Federal Bureau of Investigation (FBI) identifies nearly 100 spoofed websites incarnating the agency’s name, posing potential cyber and disinformation risks. The alert states, “Cyber actors create spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word, or use an alternative top-level domain, such as a ‘[.]com’ version of a legitimate ‘[.]gov’ website. Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI’s mission, services, or news coverage. Additionally, cyber actors may use seemingly legitimate email accounts to entice the public into clicking on malicious files or links.” The FBI urges all members of the American public to be diligent and provides mitigation efforts and guidance for reporting suspicious or criminal activity.

Nov. 23. Israel empowers female software engineering students with cyber training. The “take-off” program has been in the works for years and may diversify Israel’s intelligence services Mossad and the Shabak (Shin Bet Israel Security Agency). “I see girls in national service as important components, serving as spearheads on the front lines of the State of Israel’s cyber warfare,” says Israel’s intelligence minister, Eli Cohen, in The Jerusalem Post.

Nov. 19. U.S. Federal Bureau of Investigation provides critical information to help cybersecurity professionals and system administrators guard against Ragnar Locker ransomware. First observed in April 2020 when unknown actors used it to encrypt a large corporation’s files for an $11 million ransom, the malware now targets an increasing list of victims, including cloud service providers, communication, construction, travel, and enterprise software companies. The advisory states, “Ragnar Locker actors first obtain access to a victim’s network and perform reconnaissance to locate network resources, backups, or other sensitive files for data exfiltration. In the final stage of the attack, actors manually deploy the ransomware, encrypting the victim’s data.”


Cybercrime TV: Jack Blount, CEO at Intrusion

The enemy is cyberwarfare


Nov. 18. U.S. Air Force (USAF) to conduct information warfare drills with its new cyberwarfare team to thwart growing threats from hostile nation-states such as China and Russia. The first-of-its-kind Information Warfare unit — 16th Air Force — “integrates multisource intelligence, surveillance and reconnaissance, cyber warfare, electronic warfare, and information operations capabilities across the conflict continuum to ensure that the Air Force is fast, lethal, and fully integrated into both competitions and in war,” according to the USAF.

Nov. 18. U.S. Army Cyber Command (ARCYBER) considers migrating its five regional cybersecurity centers (RCCs) to Information Technology Enterprise Solutions — 3 Services, a multiple-award contract typically used for cloud computing and cyber operations, according to Bloomberg Government. The consolidated management of the RCCs to a single contract, potentially exceeding $100 million in value, would help ARCYBER standardize cyber operations, improve disaster recovery and continuity of operations, and increase visibility of activity on the Defense Department’s classified and unclassified networks.

Nov. 13. Microsoft reports three nation-state actors originating from Russia and North Korea are targeting companies directly involved with COVID-19 vaccine research and treatment in Canada, France, India, South Korea and the United States. The attacks came from Russian threat actor Strontium and North Korean adversaries known as Zinc and Cerium. “Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people’s accounts using thousands or millions of rapid attempts,” says Microsoft. “Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using COVID-19 themes while masquerading as World Health Organization representatives.”

Nov. 12. White House declares a national emergency and issues Executive Order on “Addressing the Threat from Securities Investments that Finance Communist Chinese Military Companies.” The order states that “the People’s Republic of China (PRC) is increasingly exploiting United States capital to resource and to enable the development and modernization of its military, intelligence, and other security apparatuses, which continues to allow the PRC to directly threaten the United States homeland and United States forces overseas, including by developing and deploying weapons of mass destruction, advanced conventional weapons, and malicious cyber-enabled actions against the United States and its people.” Among other directives, the order defines rules and regulations that prohibit United States persons from any transaction in publicly traded securities of any Communist Chinese military company.

Nov. 10. U.S. Department of Defense (DOD) pushes to adopt zero-trust security architecture in the wake of COVID-19. The action was provoked by moving millions of the agency’s employees to its new Commercial Virtual Remote telework environment during heightened pandemic-era cyber threats. DOD’s principal deputy chief information officer, John Sherman, tells FedScoop, “This crisis has forced us to think differently.”

Nov. 6. ZDNet reports North Korean hackers — Operation North Star — use previously unknown tools in cyber-espionage campaign targeting defense and aerospace companies in U.S., Israel, Russia, India, and Australia. While the adversary continues to use previously reported social engineering and spear-phishing tactics, the attackers now deploy two stages of malware implants to target high-value individuals. “What is clear is that the campaign’s objective was to establish a long-term, persistent espionage campaign focused on specific individuals in possession of strategically valuable technology from key countries around the world,” says McAfee researchers in a blog post.

Nov. 5. Fraudsters deploy notorious banking Trojan hours after voter polls closed to leverage uncertainty of the U.S. presidential election, according to Information Security Media Group. The bad actors use hijacked email threads to launch spam and election-themed phishing attacks with an attached zip file labeled “ElectionInterference” that contains a malicious Excel spreadsheet. If Excel macros are enabled, the spreadsheet will unleash the Qbot banking Trojan and infect devices.

Nov. 2. Homeland Preparedness News reports that U.S. Sen. Marco Rubio introduces legislation to establish the Adversarial Platform Prevention (APP) Act to govern data protection, censorship standards, and restrictions for “high-risk foreign software” operating in the United States. “High-risk foreign apps and software, like Chinese-owned TikTok and WeChat, pose a threat to personal privacy and U.S. national security,” says Rubio. “It is clear that we must establish a framework of standards that must be met before a high-risk, foreign-based app is allowed to operate on American telecommunications networks and devices. The APP Act does just that, and I hope my colleagues will join me in adopting a more expansive approach to protecting Americans’ user data and our security.”

Nov. 2. Bloomberg reports that U.K. National Cyber Security Centre (NCSC), a division of Britain’s signals intelligence agency, dismantles more than 15,000 phishing and malware campaigns targeting Britain’s National Health Service. The surge of cyberattacks are linked to the coronavirus pandemic, according to NCSC. Its swift intervention treads on the heels of U.S. government’s warning to American hospitals about “an increased and imminent cybercrime threat to U.S. hospitals and health-care providers.”

October

Oct. 30. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation report an Iranian advanced persistent threat actor scanned state websites with the legitimate web vulnerability scanner Acunetix. The threat actor is responsible for mass dissemination of voter intimidation emails to U.S. citizens and dissemination of U.S. election-related disinformation campaigns to influence and interfere with the 2020 U.S. presidential election. The actor also attempts to exploit known website vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leverage unique flaws in websites to obtain copies of voter registration data. The agencies confirm that the actor successfully obtained voter registration data in at least one state as a result of website misconfigurations and a scripted process using the cURL tool to iterate through voter records.

Oct. 28. Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services warn the Healthcare and Public Health (HPH) Sector of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. The advisory describes the tactics, techniques, and procedures used by cybercriminals to target the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.

Oct. 27. Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and U.S. Cyber Command Cyber National Mission Force warn commercial sector businesses around the world of malicious cyber activity, known as HIDDEN COBRA, by North Korean advanced persistent threat group Kimsuky. The advisory describes the tactics, techniques, and procedures used by Kimsuky to gain intelligence on various topics of interest to the North Korean government.

Oct. 22. Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency warn Russian state-sponsored advanced persistent threat actor — known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala — is targeting U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. The threat actor has successfully compromised network infrastructure and exfiltrated data from at least two victim servers.

Oct. 22. Despite the Trump administration’s concern about Iran’s interference with the presidential election, U.S. intelligence officials argue that Russia is a graver threat to American voting infrastructure, according to The New York Times. Officials did not highlight the adversary’s plan, but they believe its endgame would be intended to help President Trump win elections — especially if the race is too close to call. “American officials expect that if the presidential race is not called on election night, Russian groups could use their knowledge of the local computer systems to deface websites, release nonpublic information or take similar steps that could sow chaos and doubts about the integrity of the results,” according to officials briefed on the intelligence.


Cybercrime Radio: U.S. Businesses are Under Cyberattack

Mark Montgomery, Executive Director at CSC & Jack Blount, CEO at INTRUSION


Oct. 20. U.S. National Security Agency (NSA) reports Chinese state-sponsored actors are one of the greatest threats to U.S. National Security Systems, the U.S. Defense Industrial Base, and Department of Defense information networks. The adversary uses a full array of tactics and techniques to exploit publicly known vulnerabilities in computer networks containing sensitive intellectual property, economic, political, and military information. The advisory identifies and describes the Common Vulnerabilities and Exposures (CVEs) that are actively operationalized by Chinese state-sponsored cyber actors. NSA also provides general recommendations and urges network defenders to prioritize patching and mitigation efforts immediately.

Oct. 19. U.S. Justice Department indicts six Russian military intelligence officers connected to worldwide cyberattacks. The suspects, who worked for Unit 74455 of Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces (aka G.R.U.), deployed destructive malware and took other disruptive actions through unauthorized access to victim computers. “This included cyber-enabled malicious actions aimed at supporting broader Russian government efforts — regardless of the consequences to innocent parties and critical infrastructure worldwide — to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) the country of Georgia; (3) France’s elections; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent on foreign soil; and (5) the 2018 Winter Olympics after a Russian government-sponsored doping effort led to Russian athletes being unable to participate under the Russian flag.” The military unit targeted thousands of U.S. and international corporations, organizations, and political campaigns and parties; foreign governments; entities and corporations associated with the 2018 Winter Olympic Games; and their respective employees.

Oct. 19. IBM Security researchers discover new malware campaign targeting online banking users in Brazil. Dubbed “Vizom” by the research team, the malware deploys remote overlay attacks to hijack user devices in real time. “What we found interesting about Vizom is the way it infects and deploys on user devices. It uses ‘DLL hijacking’ to sneak into legitimate directories on Windows-based machines, masked as a legitimate, popular video conferencing software, and tricks the operating system’s inherent logic to load its malicious Dynamic Link Libraries (DLLs) before it loads the legitimate ones that belong in that address space. It uses similar tactics to operate the attack,” according to IBM Security.

Oct. 16. Google’s Threat Analysis Group (TAG) reports Chinese threat actor APT31 targets U.S. election with python-based implanted malware. Previously reported targeting Biden campaign staffers, APT31’s new tactic impersonates McAfee via phishing emails, prompting victims to install malicious anti-virus software hosted on GitHub. Meanwhile, the threat actor discreetly installs malware and exfiltrates files using Dropbox as its command and control. “Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” says TAG. Google is working with U.S government agencies and tech industry to thwart the threats.

Oct. 16. Dubbed “Operation Quicksand” in their October report, Israeli cybersecurity firms Clearsky and Profero “uncovered the first known instance of a potentially destructive attack executed by MuddyWater, focusing on prominent organizations in Israel and in other countries around the world.” Identified as a contractor of Iran’s Islamic Revolutionary Guard Corps (IRGC), the designated terrorist group injected malicious code into phishing email attachments coaxing users to download Thanos software variants, or it attempted to download Thanos ransomware after identifying vulnerabilities in the Microsoft Exchange server. While the attacks were thwarted before inflicting harm, the adversary’s methods may have been deployed in previously undetected attacks on the Jewish state.

Oct. 9. Cybersecurity and Infrastructure Security Agency (CISA) warns federal, state, local, tribal, and territorial (SLTT) governments of advanced persistent threat actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities during a single intrusion to compromise a network or application. Although there is no evidence that integrity of elections data has been compromised, CISA is aware of instances where this malicious activity resulted in unauthorized access to elections support systems, indicating there may be risks to elections information housed on government networks.

Oct. 6. Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing & Analysis Center report a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. The sophisticated Trojan commonly functions as a downloader or dropper of other malware. It is difficult to combat because of its “worm-like” features that enable network-wide infections, and it’s considered one of the most prevalent ongoing cyber threats. The reporting agencies recommend implementing the mitigation measures described in the alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Oct. 6. U.S. Department of Homeland Security (DHS) releases 2020 Homeland Threat Assessment (HTA). In addition to Russia’s key involvement in disinformation and misinformation threats ahead of the presidential election, DHS reports that nation-state advanced cyberattacks — namely from Russia, China, Iran, and North Korea — will mount U.S. critical infrastructure. “Federal, state, local, tribal and territorial governments, as well as the private sector, will experience an array of cyber-enabled threats designed to access sensitive information, steal money, and force ransom payments.”

Oct. 1. Cybersecurity and Infrastructure Security Agency (CISA) provides specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures to help the cybersecurity community protect U.S. critical infrastructure during heightened tensions between the U.S. and China. In addition to the recommendations listed in the Mitigations section of its Alert, CISA recommends organizations adopt a state of heightened awareness, increase organizational vigilance, confirm reporting processes, and exercise organizational incident response plans.

Oct. 1. U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) advises companies that facilitating ransomware payments to cyber actors on behalf of victims may risk violating OFAC regulations. The International Emergency Economic Powers Act and the Trading with the Enemy Act prohibit U.S. persons from engaging in transactions with actors on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). The advisory encourages organizations to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.

Cyberwarfare Report Archives

Eli Kirtman is a freelance writer based in Cincinnati, Ohio.


Sponsored by Intrusion

Intrusion Inc. is a global provider of entity identification, high speed data mining, cybercrime and advanced persistent threat detection products.

Intrusion’s products help protect critical information assets by quickly detecting, protecting, analyzing and reporting attacks or misuse of classified, private and regulated information for government and enterprise networks.

We believe that the Internet should be a safe place to work! Free from cyber crime, ransomware, theft of trade secrets, harvesting corporate knowledge, insider threats, and IoT extraction of data.



Send this to a friend