PROGRAMMING NOTE: We’ll be off for Thanksgiving this Thursday and Friday but back to our normal schedule on Monday, Nov. 28.
— The holiday season is not just a busy time for balloon handlers and pot-bellied Santa lookalikes. Hackers have developed a nasty habit of playing grinch when staff empty out for vacation — and cyber pros have learned to spend their holidays on edge.
HAPPY MONDAY, and welcome to Morning Cybersecurity! The home side went down in the opening game of the scandal-ridden 2022 World Cup.
It’s an outcome that will disappoint dozens of Qatari royals and one self-loathing Italian.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.
HOLIDAY FEAR — The old hands of the cybersecurity world have two thoughts when they see holiday cards pop up at the local CVS: Santa is coming — and so are the hackers.
That’s because some of the most notable hacks in the history of the industry — from the Aurora attacks on Google in 2009 to the more recent Log4J and SolarWinds incidents — have played out in the roughly month-long period between Thanksgiving and New Years.
Those experiences have many cyber experts anticipating a roller coaster 37 days between now and 2023, even as they hold out hope the past doesn’t turn out to be prologue.
And while many have gotten better at managing expectations around the holidays, it’s never easy to put out fires when you’re supposed to be cozying up next to them.
A common theme — “Oh my. So. Many. Stories,” wrote Kurtis Minder, CEO of security firm GroupSense and the firm’s de facto ransomware negotiator, when asked for his best (worst?) holiday “war story.”
Minder, who said he no longer leaves home without everything he needs to handle a negotiation, spent last Christmas dealing with a ransomware incident at a large European manufacturer.
The time difference “was less than convenient” for him and his team, he noted laconically.
Fed-ex Santa — When he got an urgent message to report to Google’s Mountain View headquarters in mid-December of 2009, Michael Sinno sensed immediately he wouldn’t be back in time for Christmas with his two daughters, then 7 and 5.
Then a systems administrator based in New York, Michael wound up spending the next five weeks fending off Chinese hackers in one of the industry’s most infamous attacks — what came to be known as Operation Aurora.
But if Sinno left home knowing things were serious, he did forget something important: presents, like the Nintendo DS he had to buy in California and ship home to his daughters. “Santa was Fed-Exing” that year, said Sinno.
No days off — Like almost everyone who spoke with MC, Ohad Zaidenberg, the head of intelligence at Anheuser-Busch InBev, said he has learned to approach holidays with a different mindset.
A Jew and an Israeli, Zaidenberg is “always prepared for an attack during our holidays, national days and Shabbat.” But he said he doesn’t let that dampen his mood.
“I don’t plan my weekends around the caprices of criminals,” said Zaidenberg. “I do it because I love my job.”
Enemy gets a vote — Sometimes, there’s only so much security experts can do to control their fate, as Allan Liska, a longtime security pro at Recorded Future, knows all too well.
Liska had a strict “NO WORK” order from his wife during their stepdaughter’s medical school graduation last year. It was an edict Liska intended to take seriously. It just happened to fall the same day as the most significant ransomware event in the country’s history, the attack on Colonial Pipeline.
“I managed to get through the weekend without getting divorced,” Liska wrote in an email to MC. “But it was close.”
RESTRUCTURING — The Department of Homeland Security is eyeing some big changes to the musky, almost decade-old playbook the executive branch uses to protect the country’s critical infrastructure, according to a new report released last week.
Previously classified, the 57-page review of how the government currently goes about picking which sectors are deemed critical and what federal agency will oversee them has a common theme: the federal government must do a better job to prod, coax or compel private industry to secure their networks.
What’s more, there’s plenty the executive branch can achieve even absent plussed-up powers from Congress.
New sectors — The DHS report singled out space and bioeconomy as two new critical infrastructure sectors that the government should explore.
Does that mean the U.S. is riding in the fast lane en route to 18 such sectors? Hardly. The report also gestures toward consolidation, noting that the U.S. “is well above the average number” of critical sectors compared to other countries.
New overseers — Look closely at the report’s guidance for determining which federal agencies will oversee a sector, and you’ll notice an echo of the White House.
Just as the Biden administration has called for using “creative interpretations” of existing regulatory authority to push ahead without beefed up powers from Congress, the report identifies an agency’s existing oversight powers as a key criteria for its designation as a sector-wide lead on risk reduction.
It also calls out the need to squeeze value out of other executive bodies with untapped regulatory tools — a possibility flagged by a recent GAO report on an Interior Department bureau that is doing zilch to secure the offshore oil and gas facilities it regulates.
New authorities — Beyond redrawing the org charts, the U.S. should explore new “voluntary and regulatory mechanisms for risk reduction,” like stronger standards, best practices and regulatory and contract requirements.
It should also conduct an evaluation of the “need for new authorities” to oversee the country’s most critical of critical infrastructure.
What’s next — The report already earned the seal of approval of the Biden administration. Now, it’s on the White House to provide guidance back to DHS by re-writing another core element of the executive’s critical infrastructure protection mission, Presidential Policy Directive 21.
POKING THE BEAR — I am not sure this group needed any reminders about the dangers of cornering a wild bear, but here it is anyway: A pair of op-eds this weekend offer some tantalizing hints into what Russian hackers get up to when they find their backs against the wall.
Bidding war — A Russian firm that purchases exploits for unidentified software bugs, or zero days, recently jacked up an open bid for digital backdoors into Android phones and the Signal messaging application, in what looks like a last-ditch effort to find a way into Ukrainian military communications, writes security researcher The Grugq.
By advertising its willingness to pay hackers more than three times what its competitor, Zerodium, offers, Russian firm OpZero is betraying how desperate Russia is to access Signal, which has become the go-to communications platform among the Android-using Ukrainian military.
But The Grugq surmises they are so desperate for such a capability, they are “willing to announce their limitations” anyway.
Human touch — At least one unit of elite Russian hackers is willing to strap on their big boy pants and head out from behind their monitors when remote operations fail.
Hackers with GRU Unit 26165 have conducted close-access operations on at least two occasions to break into high-value targets, according to a Friday blog post from Justin Sherman, nonresident fellow at the Atlantic Council.
In 2018, Russian hackers flew to Amsterdam to subvert an Organization for the Prohibition of Chemical Weapons investigation into the poisoning of former Russian intelligence officer Sergei Skripal and his daughter, Yulia. Two years prior, cyber subversives with the same group traveled to Brazil and Switzerland to sink an investigation into Russian doping at the Olympics.
Policymakers, heed our call! — Sherman wants lawmakers and U.S. officials to pay more attention to Russia’s close-access operations. The Grugq (and others) see Signal’s successful stiff-arm of the Russian military as a powerful example of the importance of strong commercial encryption.
If you had any doubts, that means no (I repeat, zero) back-doors for “friendly” governments, either.
WORKING THE PHONES — An extortion group is using a simple but effective method to dupe victims into handing over access to sensitive data: phone calls. That’s according to research out this morning from Palo Alto Networks, which has tracked a surge in cases related to callback phishing, where criminals email victims false invoices with a help desk number and then smooth-talk the callers into forking over remote computer access. Though the activity sounds like a quirky blast from the past, Palo Alto researchers warn the fraudsters have built a sophisticated scheme involving call centers and the abuse of legitimate IT tools, making it hard for antivirus software to sniff out wrongdoing.
Glenn Hope, who has worked as a senior production engineer at Instagram and Facebook, has a long but informative thread detailing everything that could go wrong at Twitter. At 70K likes, it’s the “Tweet of the Weekend” in the truest sense of the term.
— The White House intends to preserve a Trump-era policy granting the Department of Defense wider authorities for the conduct of offensive cyber operations. (CyberScoop)
— Leadership changes in the House and Senate homeland security committees spell a shift for congressional cyber policy. (POLITICO)
— Ransomware incidents now account for the majority of the British government’s crisis management meetings. (The Record)