THE KEY

Cyber pros are looking to history for guidance as they brace for retaliation following a U.S. cyberattack against Iran’s military command and control systems last week.

Iran has been one of the United States’ most consistent digital foes during the past decade. It’s also among the most nettlesome, with hackers targeting a broad swath of victims ranging from banks and hospitals to universities and government agencies.

Those digital strikes demonstrate patterns that might reveal how the Islamic Republic could use its hacking capabilities in an evolving tit-for-tat conflict that has included sanctions, cyber and physical attacks, and brinkmanship over Iran’s nuclear program, cyber pros told me.

First off, Iranian digital attacks are often aimed at making a big statement, Ari Schwartz, a top White House cybersecurity official during the Obama administration, told me.  

One of the country’s first major digital acts of aggression, for example, was a barrage of denial of service attacks against U.S. banks after the Obama administration imposed new economic sanctions in 2012. Those attacks seriously disrupted online banking at Bank of America, JPMorgan Chase and Wells Fargo among other financial institutions, but the hackers didn’t steal any information or destroy computer infrastructure.

A few years later, the regime went a step further, launching a 2014 cyberattack that destroyed company data at the Sands Casino, seemingly in retaliation for owner Sheldon Adelson’s caustic comments urging the United States to drop nuclear bombs on Iran and his staunch support for Israel.

“Something like Sands … is more what we should expect [now]. It makes more of a statement,” Schwartz, who’s now managing director for cybersecurity services at the law firm Venable, told me.

But Iran is unlikely to push the envelope so much that it prompts the United States to respond with a conventional attack, Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies, told me.

The situation is especially precarious because President Trump said he was within minutes of launching a conventional attack against Iran after it downed a U.S. surveillance drone, but pulled back after learning that as many as 150 people might be killed. Trump opted instead for a digital strike aimed at disabling systems controlling Iranian missile and rocket launchers and a new round of sanctions. 

Iran has denied that the U.S. cyberattack as sucessful. Iranian officials called the U.S. sanctions "outrageous and idiotic" and warned the United States had permanently closed any diplomatic chance at arresting Iran's nuclear program, my colleagues Erin Cunningham and Ruth Eglash reported this morning.  

“They want to punish us. They want to make a point, but they don’t want to do it in a way that leads to airstrikes,” Lewis said.

That could mean a series of attacks against smaller targets, such as pipelines or smaller electrical utilities, none of which rises to a level that necessitates a U.S. response, Lewis said.

Iran might also target U.S. allies in the Persian Gulf, which would hurt U.S. interests but make it tougher to justify a U.S. counterstrike, he said.

Iran also has a long history of digital strikes in the Gulf region, most prominently a massive 2012 cyberstrike against the Saudi state oil company Saudi Aramco, which destroyed or damaged the contents of thousands of computers and temporarily endangered the flow of a substantial portion of the world’s oil supply.  

Finally, Iran is likely to aim for easy and poorly defended targets rather than go after a major company that’s better defended, Geoff Hancock, a principal at the company Advanced Cybersecurity Group, told me.

That means Iran is unlikely to target financial firms, which have vastly improved their defenses since Iran’s 2012 denial of service attacks, and they’re unlikely to aim for well-defended military targets, he said.

“They attack targets of opportunity,” Hancock said.

The oil and gas sector, which is generally a step behind the financial sector in developing digital protections, may be a possible target, though, Adam Meyers, vice president for intelligence at the cybersecurity firm CrowdStrike, told me.

“Oil and gas is a pretty routine target for Iranian intrusion, whether for intelligence collection or for disruptive or destructive attacks,” he said.

PINGED, PATCHED, PWNED

PINGED: There are eight major federal agencies that “currently fail to comply with basic cybersecurity standards” and have ignored dozens of warnings to fix serious vulnerabilities over the past decade, a Senate investigation into 10 years of watchdog data released this morning reveals. Those vulnerabilities could lead to a hack on the scale of a devastating 2015 breach when hackers linked to China stole more than 22 million security clearance files from the Office of Personnel Management, the report warns.

Among the agencies with “persistent cybersecurity problems” is the Department of Homeland Security, which recently suffered a breach of tens of thousands of records from its U.S. Customs and Border Protection division. DHS holds a “significant amount” of citizens’ personally identifiable information, but failed to patch software vulnerabilities even after 10 consecutive federally mandated audits, the report found. 

Other agencies fared no better: Seven of the eight agencies failed to adequately protect citizens’ personal information. And all eight used software that companies aren’t offering security updates for. 

The White House's budget office should get serious about demanding cybersecurity improvements and agencies must fill key IT jobs to address the cybersecurity risk, the reports' authors, Sens. Rob Portman (R-Ohio) and Tom Carper (Del.), the chairman and ranking Democrat on the Permanent Subcommittee on Investigations, write. Congress should also consider legislation mandating that top agency tech officials have the power to force cybersecurity improvements, the senators say.

PATCHED: U.S. intelligence officials have “no indication” that Russia or other foreign adversaries have “disrupted or corrupted” voting machines or other election infrastructure ahead of the 2020 election, a senior intelligence official told reporters Monday.

But that doesn't mean they aren't trying to disrput the 2020 election as Russia did sucessfully in 2016.

“We do believe that the 2020 elections are potential targets for state and nonstate cyber actors and we continue to observe unknown actors' attempts at suspicious and malicious activities against Internet-connected infrastructure,” the official stated.

Officials are closely monitoring ongoing disinformation campaigns from several countries, including Russia and China, which has been using English and Chinese language social media in the United States “to influence the political environment,” the official said. 

 

PWNED: A federal judge refused to dismiss a class-action lawsuit against Facebook over a September 2018 data breach that allowed hackers to access the data of 30 million people. Now, the company will be forced to move forward with litigation and hand over troves of evidence related to the breach, CyberScoop's Jeff Stone reports.

Facebook argued that it shouldn’t be punished for the hack because the attackers didn’t steal financial information or passwords. The company notified users 14 days after first learning about the breach, which allowed hackers to log in to user accounts using phony credentials. 

Facebook is juggling a number of lawsuits, including one from the District's attorney general for failing to protect the privacy of 340,000 D.C. residents.

PUBLIC KEY

A Chinese hacking group is targeting telecommunications providers and seemingly using people’s phone records to track their movements and contacts, according to a report out this morning from the cybersecurity company Cybereason.

The hacking group compromised at least 10 telecommunications providers across Europe, Asia and the Middle East and was able to access reams of information about their customers -- including who they called, where they were when they made those calls and how long the calls lasted, the report authors told me.  

But even though the hackers had access to information about millions of customers, Cybereason researchers only saw them actively tracking between 20 and 30 targets, suggesting this was a very targeted intelligence operation, the researchers said. The researchers declined to name specific targets but said examples might include “foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement.”

— More cybersecurity news from the public sector:

U.S. parcel delivery firm FedEx Corp on Monday sued the U.S. government, saying ...
Reuters
We recently wrote about two U.S. firms that promised high-tech ransomware solutions but instead paid the cyber-attacker. A U.K. company appears to do the same.
Pro Publica
The Post's View
Ransomware attacks on U.S. cities are on the rise, and it’s time to break the cycle.
Editorial Board
PRIVATE KEY

— Cybersecurity news from the private sector:

The U.S.-based research arm of China's Huawei Technologies Co Ltd - Futurew...
Reuters
Cybersecurity issues are increasingly becoming a concern in mergers and acquisitions, a new survey shows, and lapses can jeopardize deals or haunt purchasers long after the deal is done.
Bloomberg
Several employees were caught abusing the tool, which let them read users’ messages and passwords.
Joseph Cox
THE NEW WILD WEST

— Cybersecurity news from abroad:

Huawei, the Chinese technology and telecoms group hit by U.S. sanctions, said on...
Reuters
Police ordered the immediate return of work from Eurofins after it detected ransomware on its systems earlier this month, plastic pollution is forming a film on the rocks of Madeira's shore
Wired UK
ZERO DAYBOOK

Today:

  • The House Homeland Security Committee will host a hearing on Artificial Intelligence and Counterterrorism at 10 a.m.

  • The House Homeland Security Committee will host another hearing on Cybersecurity Challenges Facing State and Local Governments at 2 p.m.

Coming Up:

  • The House Homeland Security Committee will bring in representatives from Facebook, Google, and Twitter to discuss their company's efforts to address terror content and misinformation on Wednesday at 10 a.m.