Cyber Briefing ~ 04/26/2024
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
Director's Note
Dear Readers,
Welcome to this week's Director’s Note. This week on Cyber Focus, I had the pleasure of sitting down with Cheri Pascoe, director of the National Cyber Security Center of Excellence at NIST and the driving force behind the newly released NIST Cybersecurity Framework 2.0. Be sure to tune in for our insightful discussion on this critical update to the widely adopted cybersecurity framework.
As Rep. Mike Gallagher retires from Congress, he leaves a warning about China's dangerous and malicious cyber activities. In his final act as committee chair, he sounded the alarm on China's relentless efforts to infiltrate U.S. networks and cause "maximum destruction." Gallagher's leadership on cyber and national security issues will be sorely missed.
Recent reports reveal the hackers exploited compromised credentials to gain a foothold over a week before the Change Healthcare ransomware attack was detected. The attackers then stole a trove of sensitive data that Change Healthcare now admits could contain personal health information on "a substantial portion" of Americans. UnitedHealth eventually paid an estimated $22 million ransom but has already reported losses of $872 million from the incident, which will likely exceed $1 billion.
Cisco revealed that state-sponsored cyberspies exploited two zero-day vulnerabilities in its Adaptive Security Appliance firewalls to breach multiple government networks worldwide. The stealthy ArcaneDoor campaign, suspected to be aligned with Chinese interests, lasted several months before detection.
CISA's vulnerability warning pilot program has already issued over 2,000 alerts notifying organizations about ransomware gangs actively exploiting software flaws. Mandated by the Cyber Incident Reporting Act, this program scans for vulnerable internet-facing systems and misconfigurations, enabling CISA to warn owners before criminals can strike.?
Wanted to share a good news story that I hope will serve as an innovative model for education generally and address the cyber workforce gap specifically. ASCTE, the Alabama School of Cyber Technology and Engineering, a trailblazing public boarding school in Huntsville, immerses students in hands-on STEM and cybersecurity projects. Instead of a traditional senior year, upperclassmen intern at government agencies and private companies, jumpstarting their cyber careers. I’m proud to serve as a trustee.
Sarah Powazek and McCrary Institute Senior Fellow Steve Kelly argue that the White House’s $20 billion investment in climate and clean energy projects hinges critically on cybersecurity. The expanding clean energy sector - from large solar/wind farms to distributed home installations - increases the attack surface that threat actors can target.
In case you missed it, three more stories covered our partnership with Oak Ridge National Laboratory to establish the Southeast Region Cybersecurity Collaboration Center (SERC3): SecurityBoulevard, POWER magazine, and Power-Grid International. The launch of SERC3 marks a big step in our mission to defend the grid. I look forward to updating you on this pivotal work in future newsletters.
War Eagle,
Frank Cilluffo
Cisco Systems has revealed that its firewalls were hacked by state-sponsored spies who exploited two zero-day vulnerabilities, allowing them to compromise multiple government networks globally. The hacking campaign, known as ArcaneDoor, targeted Cisco's Adaptive Security Appliances and is believed to be state-sponsored due to its espionage focus and sophistication. While Cisco has not disclosed the responsible country, sources familiar with the investigation suggest that the campaign aligns with China's state interests. Cisco has released software updates to address the vulnerabilities and urges customers to implement them immediately.
China has disbanded its Strategic Support Force (SSF) and replaced it with the Information Support Force as part of its military modernization efforts. The Information Support Force, directly subordinate to the Central Military Commission, will focus on the coordinated development and application of network information systems, including command and control, information security, and intelligence dissemination. The Cyberspace Force, responsible for offensive and defensive cyber operations, and the Aerospace Force, overseeing space operations, were existing departments of the SSF that have been renamed. The restructuring is seen as a strategic step towards improving China's military force structure.
Major North Korean hacking groups, including Lazarus, Kimsuky, and Andariel, have launched extensive cyber attacks against South Korean defense companies, breaching their internal networks and stealing technical data. The police, in collaboration with national spy agencies and private sector experts, traced the attacks to these groups through source IP addresses, signal re-routing architecture, and malware signatures. The hackers exploited security vulnerabilities, such as a temporary disengagement of the internal system's security program and the reuse of passcodes by subcontractor employees. The police did not disclose the names of the targeted companies or the specific data breached. North Korean hackers have previously targeted South Korean financial institutions, news outlets, foreign defense companies, and even the country's nuclear power operator.
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on two companies and four individuals involved in malicious cyber activity on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). These actors targeted multiple U.S. companies and government entities using techniques such as spear phishing and malware attacks. The IRGC-CEC operates through front companies, including Mehrsam Andisheh Saz Nik and Dadeh Afzar Arman, to carry out cyber operations. The sanctions aim to expose and disrupt these networks' operations as Iranian cyber actors continue to pose a threat to the U.S.
Cheri Pascoe, director of the National Cyber Security Center of Excellence at NIST, recently oversaw an update to the NIST Cybersecurity Framework known as version 2.0. The widely-used original framework provided guidance on cybersecurity outcomes for organizations to reduce risk, but needed updating after 10 years. The update involved extensive community feedback through public workshops to ensure broad applicability and usability. Key changes include making it useful for all organizations, not just critical infrastructure, and understandable by all professionals. There is also increased emphasis on governance, with a new function added on the role of senior management in cybersecurity.
The Army has initiated a project to identify barriers to adopting artificial intelligence (AI) within 100 days. The project, launched in March, is examining issues such as poisoned datasets, adversarial attacks, and Trojans that may hinder the successful implementation of AI technology.
A state-sponsored hacking team, allegedly linked to the Iranian government, conducted a five-year cyber espionage campaign targeting US companies and government agencies. The campaign involved posing as a cybersecurity services company and using spearphishing emails to trick victims into clicking on malicious links. The US Departments of Treasury and State, defense contractors, and other entities were compromised, with the extent of data compromise still unclear. Four Iranian nationals have been indicted, and the US State Department is offering a reward for information leading to their apprehension.
The New York Times journalist Kashmir Hill bought a Chevrolet Bolt in December and later discovered that two data brokers had detailed records of her driving due to G.M. secretly providing them data. She didn't consent to G.M.'s Smart Driver program that shares data, but a tricky enrollment screen during purchase registered her. Millions unknowingly had driving tracked, leading to possible insurance hikes. G.M. has now stopped the data sharing amid lawsuits, though still collects vehicle data. Hill advises contacting OnStar to disable collection or using aftermarket tools to remove OnStar modules.
Frustration, stress, and increased liability are only a few downsides making many CISOs want different jobs, according to studies showing 75% are interested in changing roles. Experts cite unsatisfactory executive support, increased liability, and lack of authority despite high accountability as core problems. CISOs should push for direct board access and liability insurance, while executives must address CISO concerns or risk losing them amid high demand.
Anne Marie Schumann has been sworn in as the second-ever principal cyber adviser for the Department of the Navy. In this role, Schumann will provide insights on cyber forces recruitment, training, readiness, and acquisition of offensive and defensive capabilities. She will serve as the top cyber adviser to the Secretary of the Navy, Chief of Naval Operations, and Commandant of the Marine Corps. Schumann previously served as the senior cyber threat adviser on the Joint Staff.
UnitedHealth Group (UHG) has confirmed that the cyberattack on its subsidiary, Change Healthcare, in February affected a substantial proportion of Americans. The company has found files containing protected health information (PHI) and personally identifiable information (PII), but no evidence of exfiltration of complete medical histories. UHG has set up a website and call centers to assist affected individuals and is offering free credit monitoring and identity theft protection for two years. UHG CEO Andrew Witty will testify before the House Energy and Commerce Subcommittee on Oversight and Investigations on May 1.
领英推荐
The European Union has conducted unannounced inspections at the Dutch and Polish subsidiaries of the Chinese company Nuctech, which manufactures surveillance equipment. The inspections were carried out under the EU's foreign subsidies regulation, with officials accessing the company's ICT system and staff phones. The European Commission suspects that Nuctech may have received foreign subsidies that could distort the internal market. These inspections mark the EU's use of economic tools to investigate state handouts in various industries and address economic grievances with Beijing.
Director-General of the Australian Security Intelligence Organisation (ASIO), Mike Burgess, has warned that artificial intelligence (AI) is likely to enhance the capabilities of Australia's enemies, leading to increased espionage, disinformation, and radicalization. Burgess states that AI will make radicalization easier and faster, posing a significant threat. While acknowledging the potential opportunities of AI, Burgess calls on technology companies to collaborate with agencies to establish lawful access for end-to-end encryption, emphasizing that privacy cannot be absolute and technology should not be above the law. ASIO is currently investigating Australian nationals involved in an encrypted chat platform used for extremist communications.
UnitedHealth Group has confirmed that a ransomware attack on its subsidiary, Change Healthcare, resulted in the theft of a significant amount of Americans' private healthcare data. While the exact number of affected individuals is unknown, the stolen files may cover a substantial proportion of the population. Change Healthcare processes insurance and billing for a large portion of the US healthcare sector, granting access to vast amounts of health information. The admission comes as a new hacking group, RansomHub, published portions of the stolen data and demanded a second ransom from the company. UnitedHealth confirmed that it paid the initial ransom, but the amount was not disclosed.
Health insurance giant UnitedHealth Group has confirmed that cyber attackers compromised sensitive data from its subsidiary Change Healthcare, potentially affecting a significant number of Americans. The stolen files contain protected health information (PHI) and personally identifiable information (PII). While the exact number of individuals affected is still unknown, UnitedHealth has set up a call center to provide free credit monitoring and identity theft protection for two years. The cyber attack disrupted healthcare and billing operations across the industry. After paying a ransom to the ALPHV/BlackCat ransomware gang, a new group called RansomHub emerged, claiming to possess the stolen data. The investigation is ongoing, and UnitedHealth advises individuals to monitor their statements and report any suspicious activity.
South Korean authorities have identified three North Korean hacker groups, Lazarus, Kimsuky, and Andariel, responsible for infiltrating the networks of 83 South Korean defense companies. The attacks, which occurred from October 2022 to July 2023, resulted in the theft of technical data from some of the companies. Previous attacks by these groups targeted critical South Korean industries, including the atomic research agency and the judicial system. In a joint advisory, Germany and South Korea warned of an ongoing North Korean cyber-espionage operation targeting the global defense sector.
China's newly established Information Support Force, led by the former deputy commander of the disbanded Strategic Support Force (SSF), Bi Yi, will enhance the gathering and sharing of information to support other military units. The force will play a crucial role in coordinating the construction and application of the network information system, as directed by President Xi Jinping. It will work closely with the aerospace force and cyberspace forces to strengthen situational awareness, improve joint operations capabilities, and conduct information operations more effectively. The restructuring reflects the PLA's focus on intelligent warfare and the division of labor among branches.
China's Defense Ministry has announced the creation of a new Information Support Force, replacing the Strategic Support Force, as part of military reforms. The move signifies the Chinese Communist Party's focus on information operations and dissatisfaction with the capabilities of the old command. The Information Support Force will have a sharp focus on networks, aligning with the US military's emphasis on cyber defense and information aggregation. The change highlights the ongoing adjustments in China's military and reaffirms Chinese leader Xi Jinping's unchallenged position within the party and state establishment.
The US government has announced criminal charges and sanctions against four Iranians for their alleged involvement in a multi-year cyber campaign targeting American companies. The individuals, along with two companies, are accused of spearfishing and using malware to compromise computer systems. The targets included defense contractors, an accounting firm, and a hospitality company. The charges highlight the threat posed by cybercriminals originating from Iran. The defendants are currently at large, and the alleged wrongdoing took place between 2016 and 2021.
Congress has passed legislation to ban or force the sale of TikTok, citing concerns over the video-sharing platform's Chinese ownership and alleged national security risks. The bill is expected to be signed into law by President Biden on Wednesday. The measure gives TikTok's parent company, ByteDance, nine months to sell the app or face a national ban. TikTok is expected to challenge the measure, setting up a potential legal battle. The legislation has bipartisan support and is tied to a broader funding package for foreign aid.
Auburn University and Oak Ridge National Laboratory (ORNL) have received a $10 million Department of Energy grant to establish a regional cybersecurity research and operations center called the Southeast Region Cybersecurity Collaboration Center (SERC3). The center will bring together experts from various sectors to share information and develop solutions to protect the nation's power grid. It will include a mock utility command center for training in real-time cyber defense. The project, valued at $12.5 million, aims to enhance the resilience of utilities against cyberattacks.
The McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University has received a $10 million grant from the Department of Energy to establish a cybersecurity research and operations center. The center, called the Southeast Region Cybersecurity Collaboration Center (SERC3), will work in partnership with Oak Ridge National Laboratory to protect the nation's electrical grid. It will bring together experts from academia, government, and the private sector to collaborate on safeguarding critical infrastructure and provide training for cybersecurity practitioners.
The Auburn Alumni Engineering Council inducted seven new members to its Class of 2029, including James Goosby, '00 electrical engineering, who serves as executive in residence at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. The inductees represent distinguished engineering alumni who dedicate their time and expertise to supporting the Samuel Ginn College of Engineering's vision and goals.
Alabama's hybrid public boarding school in Huntsville aims to be a blueprint for the future of education. With a focus on STEM and cyber, the school teaches students the art of hacking and defending while also incorporating traditional subjects like history and language arts. The school's unique approach includes real-world job experiences, partnerships with industry, and a tuition-free option for students living on campus. The goal is to prepare students for an AI-infused workplace and provide them with the skills they need for the future.
Subscribe to our LinkedIn Cyber Briefing.
Subscribe to the daily Cyber Briefing email.
Subscribe to our Cyber Focus podcast.
Copyright ? 2024 Auburn University's McCrary Institute. All Rights Reserved.