Welcome to The Cybersecurity 202! I've seen “The Power of the Dog,” “Licorice Pizza,” “Drive My Car,” and “Don't Look Up,” so far this year, and I'm not rooting for any of them for Best Picture yet. Is there a better one in the mix?
The White House wants critical-sector companies to be on high alert
The White House has issued its starkest warning that Russia may be planning cyberattacks against critical-sector U.S. companies amid the Ukraine invasion.
There’s “evolving intelligence” that the Kremlin is actively exploring its cyberattack options, President Biden said in a statement, warning that companies have a “responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”
Deputy national security adviser Anne Neuberger described the alert as a “call to action” for companies to raise their cyber defenses, during a White House press briefing. She tied it to a series of U.S. intelligence releases in recent months aimed at shining light on Russian planning.
Biden later warned that he believes a Russian cyberattack “is coming” per CNN’s Kaitlan Collins:
"The more his back is against the wall, the greater the severity of the tactics he may employ," Biden says of Putin tonight, warning that he believes Russia will likely conduct a cyber attack. "The magnitude of Russia's cyber capacity is fairly consequential, and it's coming."— Kaitlan Collins (@kaitlancollins) March 21, 2022
Context: The alert comes after Russia has lobbed a series of digital attacks at the Ukrainian government and critical industry sectors. But there’s been no sign so far of major disruptive hacks against U.S. targets even as the government has imposed increasingly harsh sanctions that have battered the Russian economy.
- The public alert followed classified briefings government officials conducted last week for more than 100 companies in sectors at the highest risk of Russian hacks, Neuberger said. The briefing was prompted by “preparatory activity” by Russian hackers, she said.
- U.S. analysts have detected scanning of some critical sectors’ computers by Russian government actors and other preparatory work, one U.S. official told my colleague Ellen Nakashima on the condition of anonymity because of the matter’s sensitivity. But whether that is a signal that there will be a cyberattack on a critical system is not clear, Neuberger said.
- Neuberger declined to name specific industry sectors under threat but said they’re part of critical infrastructure — a government designation that includes industries deemed vital to the economy and national security, including energy, finance, transportation and pipelines.
The warning reflects a grave concern that U.S. companies aren’t sufficiently prepared to withstand a Russian cyber assault — even after years of concerted pressure from government cyber officials that ramped up even further in the run up to the Ukraine invasion.
Neuberger lamented that foreign hackers continue to regularly crack into companies using known computer bugs that the companies could have patched against if they were more diligent.
“This is deeply troubling,” she said. Neuberger compared the companies to New Yorkers that were robbed after leaving their doors unlocked.
The warning also reflects a deep anxiety that companies that have girded their defenses against Russian hacking will let their guards down as the Ukraine conflict drags on.
“The White House is running out of ways to keep the alert levels up for cyber incident responders,” Tatyana Bolton, a former Cybersecurity and Infrastructure Security Agency official who now leads cyber programs for the R Street Institute, told me. “It’s very difficult to stay on a high level of alert for a long amount of time because we’re humans and alert levels go down as time passes.”
A second U.S. government official Ellen spoke with described “fatigue” among industry cyber pros who’ve been working long hours for weeks on end as part of CISA’s “Shields Up” initiative to guard against Russian hacking.
“Since this heightened threat environment started, it’s been like ‘Shields Up.’ So people ask, ‘When do we put shields down?’ ” the official said.
Some industry officials said the government’s latest alert didn’t tell them anything they didn’t already know.
“I don’t see anything new there that we haven’t already been informed of,” Bill Fehrman, CEO of Berkshire Hathaway Energy and co-chair of the Electricity Subsector Coordinating Council, whose sector was given a classified briefing last week, told Ellen.
“Our defensive postures remain in ‘Shields Up’ position,” he added.
Government only has limited options to make private industry improve their cyber defenses.
Officials have gone into hyperdrive sharing information about cyberthreats and best practices, but mostly lack the authority to compel companies to adopt those practices.
In a handful of industries where government has broader cyber authorities, such as pipelines, its requirements have received a cool reception from industry leaders.
Congress recently passed a bill requiring critical infrastructure firms to alert the government when they’re hacked, but even that will take a year or longer to go into effect.
One hope among cyber analysts is that the focus on improving cyber defenses will outlast the current conflict.
“My hope is that the Russia crisis will spur long-term investments in cybersecurity and critical infrastructure resilience,” Mark Montgomery, executive director of the congressionally led Cyberspace Solarium Commission, told me. “My fear is it will be treated as it has been [after cyber crises] in the past and forgotten soon thereafter.”
Okta says no ongoing malicious activity after ‘attempt to compromise’ third-party contractor
The online verification company stated in a tweet that screenshot photos posted to Telegram by the ransomware hacking gang LAPSUS$ seemed to be related to a January “attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors.”
“There is no evidence of ongoing malicious activity beyond the activity detected in January,” Okta CEO Todd McKinnon said.
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)— Todd McKinnon (@toddmckinnon) March 22, 2022
It wasn’t clear from the statement how much access the gang had to Okta systems. The hacking gang claimed the screenshots showed internal Okta systems. Okta said in an earlier statement that it was investigating the breach reports.
Okta is used by thousands of companies to verify employees’ identities before they access company digital systems making it an especially valuable hacker target.
One of the hacker screenshots purported to be of a dashboard for the cybersecurity company Cloudflare. Cloudflare CEO Matthew Prince said the company was resetting Okta credentials for some users out of an “abundance of caution.”
We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.— Matthew Prince 🌥 (@eastdakota) March 22, 2022
Microsoft is also investigating LAPUS$ claims it breached some of the company’s systems. Here’s more from CyberScoop’s AJ Vicens.
NSO Group’s former owners are locked in a court battle with its current owners
The fight stems from an effort to assess how much the embattled spyware company is worth — a valuation that could lead to a big payout for the former leaders of a fund that bought NSO Group in 2019, Stefan Kowski and Bastian Lueken of Novalpina Capital, Bloomberg News’s Jonathan Browning reports.
Kowski and Lueken were ousted by the fund’s investors in 2021 and replaced with Berkeley Research Group, which currently runs the fund. NSO’s value has likely dropped since then, largely due to extensive reporting by The Washington Post and 16 media partners that found NSO clients used its Pegasus spyware to hack devices belonging to journalists and activists.
NSO has reportedly mulled shutting down its Pegasus division since then.
“Lawyers for Kowski allege that BRG reneged on a commitment to get the Israeli company fairly valued,” Browning writes. “According to emails disclosed in Kowski’s filing, BRG responded to say that with NSO shutting down Pegasus, it was therefore ‘unfeasible (and was always unworkable)’ to conduct an independent valuation.”
Iran-linked hackers are trolling the head of Israel’s Mossad spy agency
A group of purported Iranian hackers released a document that they said was a stolen 2020 pay stub belonging to Mossad chief David Barnea. The gang said more sensitive leaks were on the way, Haaretz’s Omer Benjakob reports. It’s not clear if the leaked document is authentic, but it “was intended to disprove Israel’s claim that the hack was of an old device belonging to his wife” and therefore not of significance, Benjakob writes.
The group previously published a video showing personal photos, tickets, tax documents and a video clip of Barnea. The Israeli prime minister’s office said Barnea’s phone wasn’t hacked and the “materials in question are old,” the Times of Israel’s Emanuel Fabian reported.
“Israel believes the hack was revenge for an airstrike in Iran last month, which caused heavy damage to the country’s drone network,” Benjakob writes.
- Hackers have a history of taunting their victims and enemies online, as well as making boisterous claims about their exploits. For example, a hacker taunted top Obama administration officials after he hacked their accounts. And late last year, a hacker appeared to breach an FBI email system to vilify a security researcher.
Ransomware attacks on the supply chain are national security threat, officials say
Hacks targeting the U.S. logistics and shipping industries could crush the already struggling supply chain, warned a U.S. Customs and Border Protection intelligence bulletin dated March 7. Much of the bulletin focused on a cyberattack on Seattle logistics firm Expeditors International, though it didn’t say who was behind the attack, Yahoo News’s Jana Winter reports.
The hacks could also make it tougher to crack down on smuggling. “Large-scale attacks on the logistics industry pose the risk of increased illicit activity through ports of entry due to the shutdowns of computer systems which are essential to CBP processing and security procedures,” the bulletin said.
- Homeland Security Secretary Alejandro Mayorkas, CISA Director Jen Easterly, National Cyber Director Chris Inglis and other U.S. government officials speak at the Hack the Port 2022 conference this week.
- Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) speaks at an Information Technology Industry Council Bridge for Innovation event Wednesday at 11 a.m.
- CISA Executive Assistant Director Eric Goldstein and Department of Energy cybersecurity official Puesh Kumar speak at Accenture’s operational technology cybersecurity event on Wednesday at 1:30 p.m.
- CISA senior adviser and strategist Allan Friedman speaks at an Institute for Critical Infrastructure Technology event on Thursday at 1 p.m.
- The ShmooCon hacker convention convenes in Washington from Thursday through Saturday.
- Inglis speaks at the Atlantic Council’s opening of its DC Cyber 9/12 Strategy Challenge on Friday at 8:30 a.m.
Secure log off
Thanks for reading. See you tomorrow.