NSI Security NewsWatch Banner

A weekly roundup of news, trends and insights designed exclusively for security professionals. This publication is intended for security staff only.


In this issue — September 16, 2020

  • CISA: Hackers Connected to China Have Compromised U.S. Government Systems
  • The Evolution of Terror: 6 Critical Threats 19 Years After 9/11
  • DOJ Says Russian Went Beyond Election Disinformation
  • DoD Wants Remote Workers to Be Able to Access Classified Information
  • NSA's Cybersecurity Directorate Still Figuring Out How to Measure Success
  • Election Hack Attacks Traced to Russia, China, Iran
  • Managers Who Stay Connected to Remote Employees Could Reduce Insider Threats, State Official Says
  • U.S. Cancels Visas of More than 1,000 Chinese Nationals Deemed Security Risks
  • Defense Contractors Must Wait Months for COVID-19 Reimbursements
  • Chinese Cyber Power Is Neck-And-Neck with U.S., Research Finds

CISA: Hackers Connected to China Have Compromised U.S. Government Systems (Nextgov, 9/14/20)

Instead of spending resources building new malware tools, sophisticated cyber actors, including those affiliated with China’s Ministry of State Security, are using known vulnerabilities and open-source exploits and have infiltrated federal government entities, according to the Cybersecurity and Infrastructure Security Agency.  “CISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks,” reads an advisory the agency released Monday along with the FBI.  CISA, housed within DHS, is responsible for overseeing cybersecurity across the nation.

The advisory lists tactics, techniques and procedures employed by Chinese MSS-affiliated cyber actors that CISA has observed over the past year.  They include how the Chinese government affiliates—and other cyber actors of varying levels of sophistication—are able to gain initial access, collect and store credentials, select targets and gather information, and build capabilities by establishing command and control within a compromised system.  “This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools,” the advisory states. More

The Evolution of Terror: 6 Critical Threats 19 Years After 9/11 (HS Today, 9/11/20)

When the planes hit the Twin Towers, the Pentagon and a field in Shanksville, Pa., 19 years ago, it wasn’t the beginning of the war on terror but the advent of a more public-facing chapter in the global terror fight.  After all, al-Qaeda left its calling card on the World Trade Center in 1993, killing seven and injuring more than a thousand people with a bomb in the underground parking garage.  It wasn’t until 2001, though, that the terror group tried to take down the towers again — with an evolved and expanded plan that, over three locations, took 2,977 lives and injured thousands more.

In terrorist circles that now reach into every corner of the world via mountains of online propaganda and open-source tactic tutorials, the 9/11 attacks are still hailed as a gold standard of sorts — even ISIS propaganda periodically invokes al-Qaeda’s handiwork that day with 9/11 imagery while promising to similarly attack the United States.  But as tactics evolved from the first World Trade Center bombing to the second, so have terror groups, independent cells, and lone extremists grown and evolved through mixing psychological and physical warfare, drawing from a diverse recruitment pool, moving operations including training into the virtual realm, picking softer targets and simple weapons, focusing on cyber operations, and disseminating online materials that inspire, recruit, incite, and teach would-be attackers. More

DOJ Says Russian Went Beyond Election Disinformation (Gov Info Security, 9/11/20)

A Russian national who is allegedly part of an ongoing disinformation campaign targeting the upcoming U.S. election faces a charge of conspiracy to commit wire fraud, according to the DOJ.  Artem Mikhaylovich Lifshits, 27, of St. Petersburg, Russia, allegedly served as a manager for "Project Lakhta," a Russia-based effort to engage in political and electoral interference operations.  The project's goal is to disrupt the democratic process and increase public distrust of candidates and the political system, but it also ran cybercrime scams to steal money, prosecutors allege.

Liftshits is believed to be living and Russia, so he likely will never face the charge in the U.S. If he was convicted, he'd face a maximum penalty of 20 years in prison.  "Since 2014, Project Lakhta has sought to obscure its conduct by operating through a number of entities, including [Russia's] Internet Research Agency.  The Translator Department, where Lifshits served as a manager beginning around January 2017, is alleged to be responsible for much of Project Lakhta's influence operations, which are still ongoing," according to the DOJ. More


Surge in Remote Work Heightens Cybersecurity Risks

Hackers have wasted no time figuring out how to exploit the worldwide COVID-19  pandemic.  Their latest target—employees working from home. With increased remote work, there is increased risk of employees accessing data through unsecured and unsafe Wi-Fi networks, falling prey to phishing and ransomware attacks, using personal devices to perform work, and not following security policies established by your organization. This increasing risk curve can be flattened dramatically simply by increasing employee awareness.

In addition to advice about washing our hands, people need to be reminded about practicing good cyber hygiene as well. Now you can take advantage of the service America’s most respected companies have been using to protect their critical information caused by lax employee cyber habits. NSI’s SECURITYsense awareness program gives employees the tools and information they need to make security second nature. Find out how this valuable resource can help protect your employees and ensure they’re part of the solution and not part of the problem. Click here https://www.nsi.org/securitysense/what-is-securitysense.shtml for more information.


DoD Wants Remote Workers to Be Able to Access Classified Information (Fed Tech, 9/11/20)

The DoD is taking more steps to enable its remote workers to be able to access sensitive, classified information outside of the Pentagon’s secure environment.  As of August, the Pentagon had expanded its remote work capabilities to about 1 million personnel through its Commercial Virtual Remote collaboration environment, which “facilitates the exchange of low-risk, unclassified data and communications among users.” 

It’s been a critical tool as the DoD has enabled widespread telework during the coronavirus pandemic.  However, DoD CIO Dana Deasy and other defense officials have indicated they are working to enable access to classified information through the CVR environment, which uses the cloud-based Microsoft Teams collaboration tool.  Deasy has said his office was running “a lot of pilots” to improve the security of the CVR.  He noted that the Pentagon and its users are continually facing cyberattacks. More

NSA's Cybersecurity Directorate Still Figuring Out How to Measure Success (Cyber Scoop, 9/10/20)

Since the National Security Agency established a new directorate focused on cybersecurity, the organization once known as “No Such Agency” has engaged in some behavior that would have seemed revolutionary a decade ago: publicly sharing information about several large-scale hacking threats, including Russian hacking incidents, as well as information about a critical Microsoft vulnerability.  How successful the agency considers that behavior is still something it’s examining.

The NSA’s Cybersecurity Directorate, which was established last October in part to share more threat intelligence with the public and the private sector, has been examining the impact of its Cybersecurity Advisories in a variety of ways, the NSA’s Executive Director, Wendy Noble, said last week.  “The more important thing to track is how [CSD information gets] used, the operational outcome,” Noble said.  “We are working to develop those metrics to make sure we understand the value proposition … how it benefits government, how it benefits industry, and how it benefits our allies.” More

Election Hack Attacks Traced to Russia, China, Iran (Gov Info Security, 9/10/20)

Russian, Chinese and Iranian hackers are targeting organizations and individuals associated with the Republican and Democratic U.S. presidential campaigns, Microsoft reports.  The attacks against the parties, campaigns and consultants - the majority of which so far appear to have been blocked - have been attributed by Microsoft's Threat Intelligence Center to Russia's Strontium gang, aka APT 28 and Fancy Bear; China's Zirconium APT group; and Iran's Phosporus APT group.

One attack targeted staff at Washington-based SKDKnickerbocker.  The campaign strategy firm is working with Democrat Joe Biden, his party's presidential nominee.  “The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported," Microsoft says.  The security researchers emphasized that operations associated with both President Donald Trump and Biden are being targeted. More

Managers Who Stay Connected to Remote Employees Could Reduce Insider Threats, State Official Says (Nextgov, 9/10/20)

The coronavirus pandemic forced much of the federal workforce into a situation that usually serves as a primary indicator of insider threat, according to the State Department’s Jacqueline Atiles.  “People are isolated right now and that is the number one indicator of insider threat,” said Atiles, program director of State’s Insider Threat Program. She shared some tips for ensuring employees don’t compromise the safety of people, property or information from within the government during the month which the ODNI officially designated for that purpose last year.

A 2011 executive order required all agencies to implement an insider threat program.  Atiles noted the importance of managers staying connected with employees and paying particular attention to those entering and exiting the workforce–a group who might be especially vulnerable.  Managers should also share information across agencies.  “In terms of what has changed in the last six months,” she said, referring to the onset of increased remote work, “the stress level has increased across the board.  And people who may have been able to handle the stress before, are starting to peak.” More

U.S. Cancels Visas of More than 1,000 Chinese Nationals Deemed Security Risks (Reuters, 9/9/20)

The United States has revoked visas for more than 1,000 Chinese nationals under a presidential measure denying entry to students and researchers deemed security risks, the State Department said last week, a move China called a violation of human rights.  The acting head of DHS, Chad Wolf, said earlier that Washington was blocking visas “for certain Chinese graduate students and researchers with ties to China’s military fusion strategy to prevent them from stealing and otherwise appropriating sensitive research.”

In a speech, Wolf repeated U.S. charges of unjust business practices and industrial espionage by China, including attempts to steal coronavirus research, and accused it of abusing student visas to exploit American academia.  Wolf said the United States was also “preventing goods produced from slave labor from entering our markets, demanding that China respect the inherent dignity of each human being,” an apparent reference to accusations of abuse of Muslims in western Xinjiang. More

Defense Contractors Must Wait Months for COVID-19 Reimbursements (National Defense, 9/9/20)

Companies in the defense industry will have to wait five months or more before they are reimbursed for extra costs they’ve incurred due to the COVID-19 crisis, the Pentagon’s top weapons buyer said.  Section 3610 of the Coronavirus Aid, Relief and Economic Security, or CARES, Act and other authorities allow the DoD to provide funding to contractors for allowable expenses related to the pandemic.

However, although the legislation was passed by Congress in March, the Pentagon is still waiting for lawmakers to appropriate the funding, noted Undersecretary of Defense for Acquisition and Sustainment Ellen Lord.  It’s unclear when Congress might provide the money.  However, once that happens, it will still take a while before contractors receive their payments, according to Lord.  “We think it would take five to six months because once we got an appropriation, we would go out for a request for proposal [for reimbursement] and the larger companies are going to have to flow down those RFPs through their supply chain [and] gather the data,” she said. More

Chinese Cyber Power Is Neck-And-Neck with U.S., Research Finds (Cyber Scoop, 9/8/20)

As conventional wisdom goes, experts tend to rank the U.S ahead of China, UK, Iran, North Korea, and Russia in terms of how strong it is when it comes to cyberspace.  But a new study from Harvard University’s Belfer Center shows that China has closed the gap on the U.S. in three key categories: surveillance, cyber defense, and its efforts to build up its commercial cyber sector.

“A lot of people, Americans in particular, will think that the U.S., the UK, France, Israel are more advanced than China when it comes to cyber power,” Eric Rosenbach, the Co-Director of Harvard’s Belfer Center, said.  “Our study shows it’s just not the case and that China is very sophisticated and almost at a peer level with the U.S.”  Overall, China’s cyber power is only second to the U.S., according to the research.  But the study also found that several countries that are not currently considered conventional cyber powers are rising on the world stage. More

Keep Getting This Newsletter

To ensure delivery to your inbox (not bulk or junk folders), please add NSI@nsi.org to your address book.

SUBSCRIBE: If you were sent this by a colleague and wish to subscribe to NSI's complementary Security NewsWatch e-newsletter, visit http://nsi.org/newsletter.html.


Please feel free to share this e-mail with your colleagues and encourage them to sign up to get their own copy at http://nsi.org/newsletter.html

ADVERTISERS: For information about sponsoring this e-letter, contact sburns@nsi.org or call

NSI LogoNational Security Institute
165 Main Street, Suite 215
Medway, MA 02053
Tel: 508-533-9099
Fax: 508-507-3631
Internet: http://nsi.org



Impact 2020 Announcement


Help Your Employees Become Cyber Aware

Experts agree, well intentioned but careless employees pose just as much of a danger to your organization as faceless hackers on the outside. In fact, 95 percent of successful hack attacks or incidents are attributed to human error.

Learn how to mitigate the accidental insider threat and empower your employees to think securely with these valuable lessons:

  1. How to recognize and respond to social engineering attacks
  2. How to avoid spear-phishing and email scams
  3. How avoid becoming an easy target for hackers
  4. How to prevent human errors that cause security breaches
  5. How to protect sensitive data from hackers, spies and ID thieves

Learn More Button