- Yet some devices are still vulnerable to hacks. “Devices that acted as bots may remain vulnerable to Sandworm if device owners do not take … recommended detection and remediation steps,” the Justice Department warned.
- The number of previously infected devices decreased by just 39 percent from the time the update was issued to March 18, an agent wrote in a court filing. “Many victims likely lack the technical ability to independently remediate their devices, or do not regularly monitor industry reporting that would contain articles” about the malware, they wrote.
- The FBI also worked with foreign law enforcement agencies, giving them information about overseas devices that were infected by the group, a Justice Department official told The Cybersecurity 202.
The Justice Department’s operation to disrupt the botnet took place at the end of March, it said. It said it carried out the operation before any disruptive attacks using the botnet took place.
That timing is key given the threat Sandworm poses amid Russia’s war in Ukraine.
- The group is “one of the actors we have been most concerned about in light of the invasion,” Mandiant vice president of intelligence analysis John Hultquist said. “We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the West in retribution for the pressure being placed on Russia.”
Energy companies and the U.S. government are on high alert, with President Biden’s warning last month of “evolving intelligence” that Russia is exploring possible cyberattacks against American critical industries, Ellen Nakashima reports.
Industry executives worked with U.S. government officials to “draw up a playbook and help prepare the electricity sector to deal with potential cyberattacks by Russia,” Ellen writes. The guidelines stressed the importance of quickly sharing information about cyberattacks between the industry and government.
- “The collaboration between government and the private sector has seen exponential improvement over the last couple of years,” said Bill Fehrman, president and chief executive of Berkshire Hathaway Energy (BHE), which provides electricity generated by wind, solar, natural gas and coal to 12 million customers in the United States, Canada and Britain.
- “The main benefit,” he said, “is the more efficient transfer of information from the front line — the companies — to the government, and getting usable information back from the government in a timely manner.”
U.S. officials say they’re more prepared for a cyberattack than before. But “Russian malicious cyber actors have posed a high threat to the U.S. government and the critical infrastructure since before the invasion of Ukraine, and they will present a threat after this current crisis is resolved,” CISA Executive Director Brandon Wales said.
On the Hill
Congress is watching. At a Wednesday hearing on Capitol Hill, lawmakers pressed two top Biden administration cybersecurity officials on how information sharing and collaboration is actually working amid the administration’s warnings about potential Russian cyberattacks.
- “We have no way of knowing if these operators are hearing those warnings and taking action to shore up their defenses,” said Rep. Yvette D. Clarke (D-N.Y.), who chairs the House Homeland Security Committee’s cybersecurity subcommittee. “From where I’m sitting, one thing is clear: The United States desperately needs to revamp the playbook it uses for critical infrastructure cybersecurity.”
Lawmakers also homed in on the path forward for CISA, given that it's moving toward newly enacted requirements that critical organizations report hacks to the federal government.
Rep. Andrew R. Garbarino (N.Y.), the top Republican on the panel, asked CISA Executive Assistant Director Eric Goldstein if Congress should be concerned that the agency’s relationship with industry could change “if CISA takes more of a regulator role.”
“CISA’s role in the current space as a trusted partner in cybersecurity, where our goal is solely to catalyze improved cybersecurity as a voluntary partner, is one that's invaluable, and that's a relationship that we work very hard to preserve and advance with partners across sectors,” Goldstein said.
Facebook takes down covert influence campaigns aimed at Ukraine
The social media company said in a new report that it discovered efforts to falsely report Ukrainian reports as breaking the site’s rules and a campaign by the Ghostwriter group to hack members of Ukraine’s military, Naomi Nix reports. Ghostwriter has posted disinformation from infected accounts as if it’s coming from an authentic person.
“We continue to see operations from Belarus and Russia-linked actors target platforms across the Internet,” Facebook head of security policy Nathaniel Gleicher told reporters. “We know that determined adversaries like this will keep trying to come back.”
NATO officials warn of Russian cyberattacks on Ukraine
Russia’s cyberattacks before it invaded Ukraine were “unprecedented,” as “Russian cyber-units successfully deployed more destructive malware … than the rest of the world’s cyberpowers combined typically use in a given year,” NATO Assistant Secretary General David Cattler and principal analyst Daniel Black wrote in Foreign Affairs. Russia is also “deploying additional destructive malware on a weekly basis,” they wrote.
Russia could launch more devastating cyberattacks, they warned. “With the likelihood that the conflict will become a protracted war, Russia will probably not exercise restraint in its use of additional disruptive and destructive cyber-actions,” they wrote. “Russian President Vladimir Putin is most likely to double down on early cyber-successes and seek to further disrupt and undermine government, military, and civilian infrastructure, as well as defense industrial base enterprises. ”
Google removed dozens of data-harvesting apps from its app store
Researchers say the apps were installed on millions of Android devices, the Wall Street Journal’s Byron Tau and Robert McMillan report. They contained computer code from a Panamanian company that harvested location data and personally identifiable information. The code also had the ability to scan — but not necessarily view the contents of — users’ WhatsApp downloads folders.
The researchers shared their findings with the Federal Trade Commission (FTC) and Google, which said it removed the apps as of March 25. The apps can be relisted if they remove the code that collects the data, Google spokesman Scott Westover told the Journal. Some of the apps are already back on the app store.
The FTC declined to comment to the Journal on whether it was investigating because its investigations are not public. Measurement Systems, the Panamanian company, told the outlet that “the allegations you make about the company’s activities are false.”
Mandiant and CrowdStrike vow to collaborate
The agreement between the two companies extends a trend of cooperation among companies and the government as they work to battle cyberattacks, Joseph Menn reports. Mandiant, which is best known for leading investigations of breaches, will begin deploying protection tools from CrowdStrike as it advises customers and responds to breaches, executives told The Washington Post.
Last month, Google agreed to acquire Mandiant for $5.4 billion. The tech giant was a key early investor in CrowdStrike, but both sides said they were talking about boosting collaboration before the latest deal.
- Former Cybersecurity and Infrastructure Security Agency director Chris Krebs; and lawmakers speak at a disinformation conference hosted by the University of Chicago and the Atlantic today through Friday.
- The Center for Strategic and International Studies hosts an event on the national defense implications of commercial wireless networks today at 9:30 a.m.
Secure log off
Thanks for reading. See you tomorrow.