Welcome to The Cybersecurity 202! Hat tip to the judge in the bitcoin case detailed below for citing “The Big Lebowski” in his order, as Devlin Barrett notes. Ever wonder who’s the most cited musician in judicial opinions? The answer, my friend, is in this NPR piece from 2011.
Below: The Justice Department seized $3.6 billion in hacked bitcoin and arrested a couple for laundering some of the funds. Microsoft is in reported talks to buy Mandiant.
Companies need to heighten their guard against bad actor employees
Cyber threats don't always come from outside a company – they can come from malicious employees, too.
Government agencies and companies that are vital for national security aren’t doing nearly enough to prevent workers from stealing their data, a top research group for the federal government has found.
The danger of such “insider threats” has grown immensely during the past decade as employees of governments and companies have become increasingly tech-savvy people and able to outsmart many monitoring systems, Chris Folk, director of cybersecurity policy at the MITRE Corporation, told me. MITRE runs a group of research labs on behalf of the federal government.
Growing threat
The big concern: Malicious insiders could release sensitive information to the public, as NSA leaker Edward Snowden did in 2013, or they could pass it along to U.S. adversaries such as China that are looking for ways to outsmart the U.S. government and better compete with U.S. firms.
The danger reached the stratosphere during the pandemic when many employees began working from home, where it’s far easier to transfer sensitive work information to personal devices and tougher for managers and co-workers to spot anomalous behavior.
“If we don't get a handle on how employees are behaving in the workplace, we are going to continue to see exponential amounts of data walking out the door,” Folk said.
The study
MITRE ran a recent study with DTEX, a Silicon Valley-based insider threat detection company, aimed at sussing out the tactics employees use to steal data and whether systems that are designed to catch outside hackers are helpful at detecting them. The study was sponsored by the Australian government's Cyber Collaboration Center but largely funded by MITRE and DTEX.
The big picture: After more than a decade of government and industry programs to address such insider threats, there’s little hard data on how to spot them, and systems designed to spot external hackers prowling through networks aren’t much help.
Now, DTEX is using data from that study to offer a new MITRE-approved insider threat detection program to government agencies and companies deemed critical infrastructure in the United States and its four closest intelligence-sharing allies: Canada, the United Kingdom, Australia and New Zealand.
MITRE is going to pull aggregate data from that work to fine-tune a framework for addressing insider threats to share with government and companies in critical industries, such as finance and energy. MITRE is best known in cybersecurity circles for a similar system for combating cyberattacks known as the ATT&CK framework.
The goal: to get critical organizations as good at protecting against data thieves inside their organizations as external hackers.
“Companies are doing a great job — admittedly not perfect — but a great job of really locking down their networks from the external threat, and the only place left for that information to get out is going to be through insiders,” Folk said. “When you have an insider, it's much harder to detect them because they can look very much like everybody else in the network.”
Here’s how the study worked:
- MITRE ran a two-month experiment where it tasked 100 of its roughly 10,000 employees with trying to steal sensitive company data and it hooked up DTEX sensors to see if the companies’ techniques could spot them.
- Half of the insiders were just taking data without much savvy, while the other half were highly trained technologist who were skilled at avoiding detection — a group the companies dub “super malicious insiders.”
- DTEX spotted nearly all the insiders but in many cases didn’t know how much they’d stolen. In two cases, super-malicious insiders went undetected — including one who duped a co-worker into stealing the data for him.
DTEX and MITRE ran a pilot of their upgraded insider threat detection system for the National Australia Bank. About 50 companies and government agencies have signed up to use the service, Folk and DTEX co-founder Mohan Koo, told me. The customers don’t include any U.S. government agencies.
Because of a U.S.-government requirement for MITRE-developed technology, the program is being offered on a not-for-profit basis.
The keys
Justice Department arrests married couple, seizes $3.6 billion in allegedly hacked and stolen bitcoin
Prosecutors accused self-described “angel investor” Ilya Lichtenstein and rapper and email marketer Heather Morgan of trying to launder bitcoin currently valued at $4.5 billion that was stolen from the cryptocurrency exchange Bitfinex, Devlin Barrett reports. Court documents haven’t accused Lichtenstein and Morgan of hacking Bitfinex, and officials declined to say if they are suspected of committing the hack.
At the time of the theft in 2016, the total value of the stolen bitcoin was around $71 million, but it has since grown in value to around $4.5 billion. Prosecutors say they were able to seize around 94,000 stolen bitcoin, currently worth $3.6 billion.
It’s the single largest seizure of funds in Justice Department history. It’s also the highest-profile prosecution from the department’s new cryptocurrency investigations effort.
While Justice Department’s bitcoin haul was big news, much of the focus landed on Morgan’s side projects as a rapper and designer of streetwear. Bloomberg News’s Jeff Stone included her on his hall-of-fame list of accused hackers and scammers who have posted “totally bonkers pics” on Instagram and other social media sites.
razzlekhan, aka @HeatherReyhan, is accused of laundering $3.6 billion, joining a long list of alleged scammers who spent their off-hours doing it for the gram. https://t.co/riabGwWmqK
— Jeff Stone 🌲 (@jeffstone500) February 8, 2022
"The only thing that's certain is it won't be boring or mediocre." https://t.co/OeAsCOqfkn pic.twitter.com/HfOOVBCMSu
Observers were also perplexed by Morgan's explicit rap videos and her unique style:
I deeply, deeply regret to inform you that this is the rap video of the woman who was just arrested as part of an alleged husband-wife scheme that laundered some $3.6 billion in crypto.https://t.co/F6jSC4U4bY
— Kevin Collier (@kevincollier) February 8, 2022
Morgan, who rapped under the name Razzlekhan, may have telegraphed her willingness to flout the law, announcing in one of her raps that "following rules is for fools, instead I work the edge case with my tools."
Heather Morgan, an individual alleged of laundering $4,500,000,000 in Bitcoin cryptocurrency, frequently uploaded videos of herself onto TikTok under the username "realrazzlekhan". She raps, "following rules is for fools, instead I work the edge case with my tools" pic.twitter.com/bHbsf9QPGf
— vx-underground (@vxunderground) February 9, 2022
Israeli police say they only tried to hack three people named in reports
The claims contradict a report from the business publication Calcalist that police targeted dozens of Israelis using NSO Group’s powerful Pegasus spyware. The targets reportedly included protest leaders and the son of former prime minister Benjamin Netanyahu.
- Israeli leaders are planning a review of police claims led by Mossad, the country’s intelligence agency, and Shin Bet, the domestic security agency.
- That will probably be followed by an official state inquiry, the Jerusalem Post’s Yonah Jeremy Bob reports.
The fracas has led to a week-long postponement of Netanyahu's corruption trial, Shira Rubin reports. “Netanyahu’s lawyers had asked the court to postpone the testimony of prosecution witness Shlomo Filber after police acknowledged last week that they used spyware to access the contents of his cellphone,” Shira writes.
In other NSO news: The company gave the New York Police Department’s intelligence unit a demonstration of Pegasus in 2015, Motherboard’s Joseph Cox reports. Law enforcement agencies in New Jersey were also invited to the demo event. NSO has tried to pitch its spyware to other U.S. police departments as well. The FBI tested the technology but said it hadn’t been used “in support of any investigation.”
An investigation by The Washington Post and 16 news partners found that Pegasus was used to target dozens of devices belonging to journalists, activists and business executives. The Biden administration blocked NSO from receiving U.S. technology last year.
Microsoft is reportedly in talks to buy cybersecurity giant Mandiant
Such an acquisition would represent a major consolidation of the cybersecurity industry, with one of the nation's highest-profile cyber incident response firms potentially combining with one of the nation's biggest and most powerful tech platforms. It’s possible that the talks between the two companies won’t result in an offer, Bloomberg News’s William Turton, Liana Baker and Dina Bass report.
“Mandiant became a stand-alone company again last year when FireEye Inc. — which had acquired Mandiant in 2013 — sold its eponymous security-product business for $1.2 billion to a consortium led by Symphony Technology Group,” they write. Mandiant and Microsoft declined to comment to Bloomberg News.
The rest of the story: The remaining portions of FireEye previously combined with McAfee Enterprise and formed the new firm Trellix. CyberScoop's Joe Warminsky has all the details here and a broader look at cyber mergers and acquisitions here.
Ancient history: Mandiant gained recognition throughout government and industry when it published its APT1 report in 2013 — the most detailed public accounting of Chinese government-backed hacking of U.S. companies to that date. It’s since become standard practice for top cybersecurity companies to publish reports detailing hacking campaigns by Russia, China and other U.S. adversaries.
Global cyberspace
Hackers breached U.K. foreign office
The United Kingdom’s government revealed the “serious cybersecurity incident” affecting the Foreign, Commonwealth and Development Office (FCDO) in a contract announcement, the Stack’s Eliot Beer reports. The office is responsible for U.K. diplomacy and international development efforts.
Hackers breached the office but were detected, the BBC reported. An FCDO spokesperson declined to comment to the BBC but said it has “systems in place to detect and defend against potential cyber incidents.” The $633,000 contract with BAE Systems Applied Intelligence ended in January, according to a government website.
Privacy patch
Hill happenings
National security watch
Industry report
Securing the ballot
Cyber insecurity
Daybook
- National Cyber Director Chris Inglis, CISA Chief of Staff Kiersten Todt and Principal Associate Deputy Attorney General John Carlin speak at the Cyber Initiatives Group’s first-quarter summit today.
- The Securities and Exchange Commission is set to consider new cybersecurity rules for investment advisers and companies at a meeting today at 10 a.m.
- The Senate Judiciary Committee is expected to discuss the EARN IT Act at a meeting Thursday at 9 a.m. The bill, which would remove social media sites’ liability protections when users share child pornography, has come under fire from encryption and privacy advocates.
- INSF and WCAPS host an event on challenges and opportunities for Black women in the intelligence community Thursday at 11 a.m.
- Cybersecurity firm Dragos hosts a webinar with NSA and CISA officials to discuss industrial control system cybersecurity on Monday at 1 p.m.
Secure log off
Today’s second @washingtonpost tiktok features the IRS again https://t.co/xQmbwTLwg5 pic.twitter.com/njCxLAYgip
— Washington Post TikTok Guy 🤹🏼♂️ (@davejorgenson) February 8, 2022
“Keep a clean nose. Watch the plain clothes.” Thanks for reading. See you tomorrow.