A weekly roundup of news, trends and insights designed exclusively for security professionals. This publication is intended for security staff only.

 

The SolarWinds Body Count Now Includes NASA and the FAA (Wired, 2/27/21)

In addition to infiltrating the unclassified networks of seven other U.S. government agencies, the suspected Russian hackers who compromised the IT services firm SolarWinds as a jumping-off point also penetrated NASA and the Federal Aviation Administration.  Researchers and officials testified before the Senate Intelligence Committee last week about the scope and scale of the attack.

The Washington Post reported ahead of the hearing that the Biden administration is preparing sanction against Russia related to the SolarWinds espionage operation and other recent incidents of aggression.  The seven other breached agencies are the Departments of Commerce, Homeland Security, Energy, and State, the U.S. Treasury, the National Institutes of Health, and the Justice Department.  The White House said earlier this month that hackers also compromised 100 companies in the spree.  “This is the largest and most sophisticated sort of operation that we have seen," Microsoft president Brad Smith said during last week’s hearing. More

---

Air Force Base Prepping for EMP Vulnerability Tests (Nextgov, 2/26/21)

An Air Force base in Texas is getting ready to test its infrastructure against an electromagnetic pulse, or EMP, attack and needs to do preliminary site surveys to design future tests.  Officials at Joint Base San Antonio in Lackland, Texas, issued a request for quote for an EMP-tailored survey of the Petroleum, Oil and Lubrication (POL) complex, which consists of multiple buildings in two areas of the base connected by an underground pipeline.

The Air Force is conducting this test, and others, in adherence with a Trump-era executive order requiring the military and key agencies involved in securing critical infrastructure to put more resources into defending against EMP attacks, in which an electromagnetic wave could potentially knock out all electronic components in its wake.  “This will ensure critical fuel infrastructure remains operational, as well as contributes to a national Dissuasion Strategy intended to preclude adversarial use of EMP as a weapon,” according to the performance work statement. More

******************************************************************************************

A Strong Security Posture Starts with Awareness

People are the weak link in any organization, opening attachments, downloading sensitive information onto thumb drives or sharing documents that they shouldn’t.  In most cases, employees receive some information security training when they join a company, but typically that isn’t repeated on a timely basis.  Just like computers, people must be patched at least every month.  Continuous security awareness solutions from NSI can help solve this problem and ensure everyone in your organization is up to speed on the latest security threats.

A more security-aware workforce can mean the difference between an employee preventing the next data breach, and becoming the next breach.  Protect yourself today with SECURITYsense, the premier information security awareness service from NSI.  It keeps your employees up to date on current threats and tells them how to protect against them — easily and cost effectively. To know more, click here https://www.nsi.org/securitysense/

******************************************************************************************

NSA Issues Zero Trust Guidance, Urging DoD and Contractors to Adopt Model (Fed Scoop, 2/25/21)

The NSA issued a cybersecurity information sheet last week with instructions for defense agencies and contractors on how to set up a zero-trust network architecture.  In it, NSA urges the entirety of the DoD and its contractors to implement zero trust for sensitive systems to better prevent data exfiltration.

“NSA strongly recommends that a Zero Trust security model be considered for critical networks to include National Security Systems, DoD networks, and Defense Industrial Base systems,” according to the document.  The push to zero trust — where compromise is assumed and users are asked to verify their identity as they move around a network — has grown stronger after the discovery of the massive SolarWinds hack last year.  The penetration of sensitive network components by suspected Russian hackers in the breach was another dire example of cybercriminals gaining wide access to information once in a network. More

---

Cybercrime Groups Are Selling Their Hacking Skills. Some Countries Are Buying (ZD Net, 2/26/21)

Cyber-criminal hacking operations are now so skilled that nation-states are using them to carry out attacks in an attempt to keep their own involvement hidden.  A report by cybersecurity researchers at BlackBerry warns that the emergence of sophisticated cybercrime-as-a-service schemes means that nation-states increasingly have the option of working with groups that can carry out attacks for them.

This cyber-criminal operation provides malicious hacking operations, such as phishing, malware, or breaching networks, and gets paid for their actions, while the nation-state that ordered the operation receives the information or access it requires.  It also comes with the added bonus that because the attack was conducted by cyber criminals who use their own infrastructure and techniques, it's difficult to link the activity back to the nation-state that ordered the operation. More

---

Mariners Warned to Watch for Third-Party Impacts from SolarWinds Hack (HS Today, 2/25/21)

A recent Marine Safety Information Bulletin month cautions the maritime industry that even if they haven’t used SolarWinds Orion they might still be hurt by the continued exploitation of the software.  In December, CISA issued an emergency directive “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” calling on “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

Through breaching the SolarWinds Orion products, an attacker was able “to gain access to network traffic management systems,” the directive said, stressing that “disconnecting affected devices … is the only known mitigation measure currently available.”   Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said last week that the investigation continues but nine federal agencies are known to have been compromised along with “about 100 private-sector companies,” mostly in the technology sector — “including networks of companies whose products could be used to launch additional intrusions.” More

---

DCSA Considers Changes to SF-86 as It Continues Clearance Reform Efforts (ClearanceJobs.com, 2/25/21)

The Capitol Hill riots of January 6 have caused many to ask why veterans and some security clearance holders found themselves among those participating. Many have called for reforms to the clearance process, including updating the SF-86, or changing the adjudicative criteria to make sure domestic terrorism is addressed.  In a webinar sponsored by the Intelligence and National Security Alliance, Director of the Defense Counterintelligence and Security Agency William Lietzau noted that while QAnon or domestic terrorism might not be terms you see listed on the SF-86, that doesn’t mean the current security clearance process is unequipped to root out extremists and criminals.

“We don’t have a specific social media pull that looks for these kinds of things, but we’re looking for any criminal records, incident reports that would come from some kind of report hub,” said Lietzau.  He also noted that those who committed crimes on January 6 have come to the attention of DCSA, “It has worked; we have taken appropriate action.”  While changes aren’t required, that doesn’t mean there aren’t opportunities for improvement on the current SF-86. More

---

Former Air Force Contractor Pleads Guilty to Taking Classified Documents (WHIO, 2/25/21)

A former contractor with the United States Air Force pleaded guilty in U.S. District Court last week to illegally taking around 2,500 pages of classified documents, according to a release from David M. DeVillers, the United States Attorney for the Southern District of Ohio.  Izaak Vincent Kemp, 35, was charged on Jan. 25 by a Bill of Information, according to the release.

More than 100 documents, which contained around 2,500 pages of material classified at the Secret level, were discovered by law enforcement after they executed a search warrant at Kemp’s home on May 25, 2019.  Court documents showed that Kemp was employed at the Air Force Research Laboratory from July 2016 to May 2019, and later as a contractor at the Air Force National Air and Space Intelligence Center.  Kemp also had Top Secret security clearance while working on the Wright-Patterson Air Force Base in Fairborn, the release said. More

---

Hackers Tied to Russia's GRU Targeted U.S. Grid for Years (Wired, 2/24/21)

For all the nation-state hacker groups that have targeted the power grid in the U.S., and even successfully breached American electric utilities, only the Russian military intelligence group known as Sandworm has been brazen enough to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016.  Now one grid-focused security firm is warning that a group with ties to Sandworm’s uniquely dangerous hackers has also been actively targeting the U.S. energy system for years.

Cybersecurity firm Dragos published its annual report on the state of industrial control systems security, which names four new foreign hacker groups focused on those critical infrastructure systems.  Three of those newly named groups have targeted industrial control systems in the U.S., according to Dragos.  Most noteworthy, perhaps, is a group that Dragos calls Kamacite, which the security firm describes as having worked in cooperation with the GRU's Sandworm. More

---

Report: Mobile Phishing to Steal Government Credentials Increased 67% in 2020 (Nextgov, 2/24/21)

In 2020, malicious hackers targeting government workers’ devices drastically sharpened the focus of their phishing efforts on obtaining victims’ login credentials—as opposed to delivering malware—making for more invasive and persistent attacks, according to a report from mobile security firm Lookout.  “Over 70% of phishing attacks against government organizations sought to steal login credentials, which is a 67% increase from 2019,” reads a key finding from the report released last week.

The report makes use of data from nearly 200 million devices and over 135 million mobile apps specific to government agencies Lookout serves.  The firm posits that the shift to remote work brought on by the pandemic will endure and is causing more government entities to consider telling their workers it’s OK to “bring your own device,” or BYOD.  But a look at the numbers in 2020 suggests increased use of such policies could lead to a new blind spot that hackers are already exploiting. More

---

Twitter Scrubs Accounts Tied to Russian, Iranian Influence Operations (Cyber Scoop, 2/23/21)

Twitter has taken action against a slew of state-linked influence operations run from Russia, Iran and Armenia in recent days, the company announced.  One Russian influence operation, believed to be run by state actors, shared information that aligned with the Russian government’s goals and which sought to undermine NATO, according to a Twitter blog post.

Another Russian campaign appears to have links with the government-run troll farm that interfered in the 2016 presidential elections in the U.S.  The company removed the accounts for pretending to belong to people they were not.  The takedown of these efforts in recent days is emblematic of a pernicious threat that social media companies face in trying to establish ground truth on their platforms.  Twitter has been working for years to oust manipulative influence operations from its platform, and while it has seen some success, it continuously runs into repeat offenders who spread disinformation. More

---