Welcome to The Cybersecurity 202! We'll be off tomorrow and Friday for Thanksgiving and then back in your inboxes Monday. Here's Langston Hughes's “Thanksgiving Time.” 

Below: Apple is suing NSO for hacking its devices, and an Ohio county official denied any involvement in an election security breach.

Thanksgiving is a prime time for cyber criminals

As Thanksgiving approaches, hackers and scammers are setting up a buffet of digital attacks and getting ready to feast on unguarded data. 

Holidays are often a busy and lucrative time for criminal hackers who target companies they suspect will be more vulnerable because they’re operating with bare-bones staff. 

Hackers also pepper consumers with digital scams focused on the holidays. Examples include emails and text messages that appear to be from online shops but actually contain malicious software that will infect their phone or computer and steal data. 

This year could be especially dangerous. 

  • The number of holiday-themed phishing text messages this year is nearly double what it was last year, according to a report by the cybersecurity firm Proofpoint. Many of the insidious texts try to con recipients into sharing credit card information to resolve problems delivering a nonexistent package, the company warns.
  • The United Kingdom’s National Cyber Security Centre warned more than 4,000 legitimate small businesses that their websites had been compromised by hackers who were stealing customers’ payment information. It implored the companies to install a software update to block the hackers’ access before the crush of online shopping on Black Friday.

Government agencies are also warning companies and consumers to be on guard against holiday attacks

“Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways — big and small — to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” the FBI and the Cybersecurity and Infrastructure Security Agency said in a joint alert

They urged companies to prepare for the holiday by:

  • Identifying IT and cybersecurity workers who can respond rapidly over the holiday if there is a cyber threat
  • Giving staffers extra warnings about being wary of phishing emails and other cyber scams over the holidays
  • Reviewing plans for responding to cyber incidents
  • Making sure software patches are up to date and every computer system requires users to use multiple methods to authenticate that they are who they say they are

Holidays have proved especially damaging this year for companies hit with ransomware attacks

  • The Colonial Pipeline ransomware attack struck just before Mother’s Day weekend.
  • Meat processor JBS was hit with ransomware over Memorial Day weekend.
  • The Kaseya ransomware attack, which spread to the software company’s clients and ultimately compromised about 1,500 other businesses, hit during the Fourth of July weekend.

“We know that threat actors don’t take holidays,” CISA Director Jen Easterly said. “We will continue to provide timely and actionable information to help our industry and government partners stay secure and resilient during the holiday season.”

More from Easterly:

And the FBI:

Lesley Carhart, an executive at the cybersecurity firm Dragos:

Schools have also been hit with cyberattacks during holidays. From the K-12 Cybersecurity Resource Center:

CISA is taking a novel approach to urging consumers to be wary of cyberthreats during the holiday season. It’s releasing a carol called the “Twelve Days of Shopping” full of cybersecurity tips one verse at a time on its Twitter, Facebook and Instagram accounts. 

Check out the first verse below:

The keys

Apple sued NSO Group, accusing the spyware firm’s execs of being “amoral 21st century mercenaries”

The tech giant wants a federal court to bar NSO from using Apple software, services and devices, Craig Timberg, Reed Albergotti and Drew Harwell report. WhatsApp filed a similar lawsuit in 2019, which is working its way through the courts. 

“The lawsuit accuses NSO of enabling customers to target U.S. citizens, despite the company’s pledge that its spyware ‘cannot be used to conduct cybersurveillance within the United States,’ ” my colleagues write. Apple is suing the company under the Computer Fraud and Abuse Act, which bars people from “intentionally accessing a computer without authorization.” Apple argues that it was victimized because NSO used “Apple services and servers to perpetrate attacks on Apple’s users and data stored on users’ devices.” 

But it's not clear if the court will buy such a claim when Apple isn't the direct victim of the attacks

The spyware company has come under increased scrutiny in recent months after an investigation by The Washington Post and 16 media partners found that its Pegasus spyware was used to target journalists and human rights activists. 

NSO spokesman Oded Hershkovitz defended the company: “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers. Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”

Apple is also notifying NSO victims and contributing at least $10 million to cybersurveillance research and advocacy organizations, the company announced

More on the lawsuit from John Scott-Railton, a senior researcher at the Citizen Lab: 

Among the victims hacked with Pegasus via Apple devices were journalists and opposition politicians in El Salvador, the newspaper El Faro reported.

An Ohio county commissioner said he wasn't aware of an attempted election security breach

John Hamercheck (R), chairman of the Lake County Board of Commissioners, said on Nov. 23 he was not aware of an attempt to breach the local election network. (The Washington Post)

Somebody plugged a private laptop into a county network inside the office of Lake County Board of Commissioners President John Hamercheck (R) during a spring primary election and data captured from the county networks was later circulated at a a ‘cyber symposium’ on alleged election fraud hosted by MyPillow executive Mike Lindell. But Hamercheck is speaking out now, saying he has no knowledge of any breach. 

Hamercheck claimed there had been “much false or misleading information” about the incident but declined to elaborate, Amy Gardner reports.

“To my knowledge, there was never an attempt to access or breach the Lake County Board of Elections computer network that day,” he said. He said he would share more information publicly “as soon as we are finished gathering and verifying the appropriate materials.”

The FBI is investigating the Ohio incident, but Hamercheck said he hasn’t been interviewed by investigators. “State and county officials have determined that no sensitive data were obtained,” Amy writes. 

Lindell, an ally of former president Donald Trump has pushed numerous conspiracy theories about the election. Douglas Frank, an Ohio-based scientist who has worked for Lindell, has met with county officials in Lake County and in Mesa County, Colorado, the site of a similar incident.

Senators are massaging a cyber incident reporting bill that irked the FBI

The changes came after FBI Assistant Director Bryan Vorndran told Congress that the FBI was “troubled” by legislative proposals that mandated companies in critical fields report cyber incidents to CISA but did not include the FBI in those reports. 

The Senate Homeland Security Committee’s new proposal tells CISA to work with the Justice Department when developing the rules, Politico Pro’s Eric Geller reports, citing a new draft of the legislation.

Lawmakers are trying to include the mandates in an annual defense authorization bill, a version of which has already passed the House. It’s not clear if the House co-sponsors of a similar proposal will endorse the changes.

More from Eric:

Government scan

CISA should update its security plan for the communications sector, government auditors say

The Department of Homeland Security agreed with the Government Accountability Office's recommendation, which it said it would be able to complete by October 2022. Read the full report here.

Global cyberspace

Encryption wars

Cyber insecurity

Industry report

Secure log off

“When one's appetite craves turkey and will have no other fowl, it's Thanksgiving Time!” Thanks for reading. Have a great Thanksgiving! See you Monday.