Welcome to The Cybersecurity 202! Another recommendation, for those who haven’t been tuning in: “Poker Face,” by the always-wonderful Rian Johnson.
Hackers target U.S. nuclear facilities, the latest in a long line of nuclear-related cyberattacks
Hackers are pursuing nuclear targets, which are some of the most heavily regulated facilities in the United States. Despite those safeguards, the opportunities for espionage and much worse have made them alluring to hackers.
The latest apparent espionage threat is a Chinese spy balloon over Montana, which is the site of several nuclear missile silos, my colleagues Dan Lamothe and Alex Horton report. Military advisers have advised President Biden against shooting down the balloon. The incident was first reported by NBC News.
- A Pentagon spokesman, Brig. Gen. Patrick Ryder, said that “the U.S. government acted immediately to prevent against the collection of sensitive information” once it spotted the balloon.
- Ryder said that the U.S. government has observed similar activity over a period of “several years.” A U.S. intelligence official said that similar balloons have been previously detected over Hawaii and Guam, which houses U.S. military assets.
And the leaders of two House committees on Thursday asked the Energy Department to send them documents related to cyberattacks by suspected Russian hackers aimed at U.S. national nuclear laboratories.
The Russian hackers, known as Cold River, went after nuclear scientists at Brookhaven, Argonne and Lawrence Livermore laboratories last summer, James Pearson and Chris Bing reported last month for Reuters.
“Although it is unclear whether the attempted intrusions were successful, it is alarming that a hostile foreign adversary targeted government labs working on scientific research critical to the national security and competitiveness of the United States,” Reps. James Comer (R-Ky.), chair of the Oversight and Accountability panel, and Frank D. Lucas (R-Okla.), chair of the Science, Space and Technology Committee, wrote in a letter seeking communications between agencies, labs and contractors.
Hackers who got into the U.S. nuclear command and control system could, theoretically, “trigger a false alarm, making us think that Russian nuclear weapons were on their way” — giving the president mere minutes to decide whether to launch a retaliatory strike, former White House cybersecurity adviser Richard Clarke said in a video for the nonprofit Nuclear Threat Initiative last year.
Joining the list
Here’s a partial accounting of prominent nuclear-related cyber incidents in recent years:
- One of the most famous computer worms is Stuxnet, a joint U.S.-Israel invention used to degrade Iranian nuclear centrifuges that was first discovered in 2010. Two years ago, Israel appeared to confirm another cyberattack on Iran’s main nuclear facility.
- The Justice Department last year unsealed charges against four Russian hackers over cyberattacks, including one on a breach of business systems at the Wolf Creek Nuclear Operating Corporation in Burlington, Kan.
- U.S. nuclear regulators have suffered cyberattacks. An internal investigation at the Nuclear Regulatory Commission (NRC) found the agency had been hacked three times between 2010 and 2013. The landmark SolarWinds hack led to compromised systems at the Department of Energy and its National Nuclear Security Administration (NNSA) in 2020. In 2005, hackers made off with information about 1,500 NNSA employees.
- Possible North Korean hackers breached the administrative systems of the largest power plant in India, the Kudankulam Nuclear Power Plant in Tamil Nadu, in 2019.
- North Korean hackers also were suspected in a 2014 hack on South Korea’s nuclear operator.
- In 2016, German news outlet BR24 reported about the discovery of a computer virus at the nation’s Gundremmingen nuclear power plant.
- Perhaps the most recent incident, aside from the targeting of national laboratories, came last summer when Russian hackers mounted an “unprecedented,” “major” attack on the website of Ukrainian state nuclear operator Energoatom, the company said. A top Ukrainian official had said earlier in the Russian war that its nuclear power stations were “well protected.”
State of defenses
The Biden administration has been trying to install baseline security mandates for more industries, but nuclear is a sector that is among the most regulated already, alongside defense contractors and the financial services industry. The NRC “has really strict rules,” a White House official speaking on the condition of anonymity to more candidly discuss matters told me in a recent interview.
The NRC first put cybersecurity rules in place in the early 2000s, and under existing regulations, nuclear power plant operators must submit security plans to the agency for approval. The NRC is expected to propose additional cybersecurity rules for fuel cycle facilities this summer.
- The security of U.S. nuclear weapons is less a matter of regulation than how well the NNSA protects them.
Still, there are shortcomings.
The NRC needs to reorient how it conducts cybersecurity inspections at nuclear plants to focus on measuring performance, the agency’s inspector general said in a 2019 report. The report also warned that “the inspection program faces future staffing challenges because demographic and resource constraints work against optimal staffing.”
The Government Accountability Office said in a report last year that the NNSA “and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment,” such as assessing and updating organization-wide cyber risks. “NNSA also has not fully implemented these practices in its operational technology and nuclear weapons IT environments,” it wrote.
U.K. regulators, FBI are soliciting information about ION cyberattack
After the London-based financial data group ION’s derivative trading unit was hit by a cyberattack, forcing several European and U.S. banks and brokers to process trades manually, regulators in both countries are looking into the hack. Lockbit, a ransomware gang, has threatened to publish stolen data from the firm, Reuters’s James Pearson and Danilo Masoni reported.
- The United Kingdom’s Financial Conduct Authority and Prudential Regulation Authority have started a joint probe, according to people familiar with the matter who spoke on the condition of anonymity to discuss the private conversations, Bloomberg News’s William Shaw and Mark Burton report. The FCA is “aware of this ongoing incident” and will continue to work with other agencies and firms affected, a spokesman said.
- The United Kingdom’s National Cyber Security Center is also looking into the cyberattack, Bloomberg News’s William Shaw reports.
- Meanwhile in the United States, “the issue is currently isolated to a small number of smaller and midsize firms and does not pose a systemic risk to the financial sector,” said Todd Conklin, the Treasury Department’s deputy assistant secretary of the office of cybersecurity and critical infrastructure protection. “We remain connected with key financial sector partners, and will advise of any changes to this assessment.”
- The FBI also said it is seeking information on the cyberattack and has reached out to several ION executives to learn about how it is impacting customers. The agency has not yet launched an official probe, but “is aware of this incident and has nothing additional to report at this time,” a representative of the agency said in an emailed statement to Bloomberg News’s Katherine Doherty and Lydia Beyoud.
“ION told clients Thursday that its systems won’t be fully operational until Feb. 5 and the firm still hasn’t been able to start several crucial recovery steps, according to email correspondence obtained by Bloomberg,” Shaw and Burton write.
The attack directly impacted 42 of ION’s clients, but has upended derivatives trading across the globe, “as transactions back up and firms struggle to determine their margin requirements to enter or exit positions, according to multiple people familiar with the matter,” they added.
North Korean hackers stole medical and energy research data in months-long breach
In a campaign that lasted between August and November 2022, the North Korean hacking group Lazarus stole nearly 100 gigabytes of research from private medical, chemical engineering, energy, and defense companies, along with information from a top university, according to a report released Wednesday by the Finland-based cybersecurity group WithSecure, Bill Toulas reports for Bleeping Computer.
The campaign, known as No Pineapple!, did not cause any immediate destruction to the victims. However, the group was able to obtain emails, administrator credentials and other details from devices, likely for intelligence purposes.
“WithSecure was able to attribute the activity based on multiple pieces of evidence,” Toulas writes, including “using IP addresses without domain names, a new version of the Dtrack info-stealer malware, and a new version of the GREASE malware used in admin account creation and protection bypass.”
According to WithSecure, the hackers also made a mistake — one of the web shells planted by the infamous group was communicating with a North Korean IP address — which helped confirm their identity.
House Homeland Security Committee chairman says panel will prioritize cyberthreats
After meeting with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, House Homeland Security Committee Chair Mark Green (R-Tenn.) on Thursday said he is committed to strengthening the nation’s public and private resilience against cyberattacks. His comments come as a growing number of global adversaries are posing threats to U.S. infrastructure.
“The Committee has a clear charge on cybersecurity oversight efforts this Congress and it will be critical we work hand in glove with CISA and industry to meet those objectives,” Green said in a statement.
“My mission will be to strengthen CISA as an information enabler rather than as a regulatory agency,” Green said. “We are not here to overly burden industry, but we are here to ensure companies are doing their part to secure their systems and protect against the cascading and devastating impact one vulnerability can have on an entire network.”
National security watch
Harvard is shutting down project that studied social media misinformation (Drew Harwell and Joseph Menn)
Secure log off
Breaking: NSA preparing to the deploy Portable Intelligence Neutralizer pic.twitter.com/XN1AulFimj— Tyler McLellan (@tylabs) February 3, 2023
Thanks for reading. See you next week.