With help from Eric Geller, Mary Lee and Martin Matishak
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Advertisement
— A series of successful ransomware attacks on oil and gas facilities could have darker tidings, since the payout-hunting hackers might have been able to do worse, a cyber firm told MC.
— Video conferencing service Zoom contended with another big vulnerability, according to research out today.
— How will the U.S. respond if British Prime Minister Boris Johnson decides against banning Huawei? Would the administration stop sharing intel with MI6?
HAPPY TUESDAY and welcome to Morning Cybersecurity! This person does, indeed, deserve animosity. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
HITS ON OIL AND GAS — Ryuk ransomware recently hit at least five hit oil and gas facilities in what appeared to be targeted attacks, forcing them to switch to manual operations, according to the cybersecurity firm ThreatGEN. The firm’s CEO told MC on Monday that while he believed the hackers were “big game hunting” — thinking that the oil industry was a good place to chase payouts — it could have been worse. “If they had the intent of causing damage rather than seeking ransom, they were already in the system where if they wanted to they could’ve taken full control” of vital systems, said ThreatGEN leader Clint Bodungen. “That’s the scary part.”
Bodungen revealed his research at a security conference last week in response to a Coast Guard alert that he considered inaccurate. The findings went largely unreported, and Bodungen said that in his conversations with other companies at the conference, they had not yet found similar cases. Bodungen said the attacks affected two of his company’s customers, and he knew of three other incidents. The similarities in those attacks led him to conclude they were from the same group, but he didn’t focus much on further attribution; some of the computers were loaded with other kinds of digital crud that pinged a variety of geographical regions.
“This is the first evidence I’ve seen of a [direct] or at least industry-targeted attack of multiple sector facilities in such a small time frame,” he said. Attacks forcing energy companies to switch to manual operations “happens more often than you’d think,” he added.
WHO’S ZOOMING WHO? — Video conferencing service Zoom had a flaw that would have allowed hackers to eavesdrop on Zoom meetings and gain access to audio, video and shared documents, Check Point researchers revealed this morning. The company said it worked with Zoom on fixes, such as password additions and changes, to defend against a three-step hack that involved generating a list of IDs, validating them and then connecting to the meetings.
Check Point said it first alerted Zoom to the problem in July, around the time Zoom was dealing with fallout from another vulnerability that could have allowed hackers to access Mac user webcams. The software engineer who alerted Zoom about that flaw said the company was too slow to respond to the problem.
HUAWEI IN THE U.K.? — Johnson’s expected verdict today on Huawei’s role in British 5G networks could come as a big slap to President Donald Trump, who wants U.S. allies to spurn the Chinese telecom company. And it raises a question for the Trump administration: How to respond? One potential step: Cut British access to shared intelligence, a possibility POLITICO’s Steven Overly, Connor O’Brien and Doug Palmer wrote about Monday.
HSGAC ON THE CYBER BEAT — The Senate Homeland Security Committee is plotting a cybersecurity hearing in the near future, a spokesperson confirmed to MC on Monday, and DHS is among the potential witnesses. Chairman Ron Johnson (R-Wis.) said he wanted the hearing to focus on ransomware and cyber hygiene, and that he hoped it would include CISA Director Chris Krebs.
SECURITY TOOLS GALORE — The fastest-growing apps this year are focused on security and data, according to a report out today on applications from Okta based on an evaluation of its customers’ behaviors. The report also found the top concern of chief information security officers often is improving securing individual credentials. Among tools targeted at protecting people, the data concluded the fastest growth came from password managers, at 84 percent year over year growth.
IT’S STATE’S TURN ON BEZOS QUESTIONS — Another Democratic senator is questioning what the federal government knows about any Saudi government attempts to hack U.S. government officials. Bob Menendez (D-N.J.), ranking member on the Foreign Relations Committee, released a letter on Monday to the State Department, posing the query following last week’s news about alleged Saudi involvement in hacking the phone of Amazon owner Jeff Bezos. He also asked what steps Foggy Bottom is taking to prevent such intrusions. Menendez’s letter is dated Friday, the same day Sen. Ron Wyden (D-Ore.) lobbed his questions at the NSA.
“As we have seen from the brutal murder of Jamal Khashoggi, the detention and torture of activists, and the alleged use of former Twitter employees to spy on dissidents, the Saudi government has a troubling record of using technology to repress dissent,” Menendez wrote. “The apparent use of spyware to gain unauthorized access to the data of a U.S. citizen by the Crown Prince of Saudi Arabia raises fresh concerns about the ability and willingness of the Saudi government use technology to subvert U.S. national security interests.”
SWORD FIGHT — NATO officials recently participated in a joint exercise that combined input from U.S. Cyber Command representatives with technical skills with kinetic force. The sixth annual “Crossed Swords” exercise, which took place in Latvia, brought over officials from six countries together for an exercise that linked cyber elements with conventional force, according to NATO’s Cooperative Cyber Defence Centre of Excellence.
“The main task and lesson is to understand the coordination between multiple disciplines,” Lauri Luht, the center’s director of technical exercises, said in a readout on Monday. The event is a warm-up for the upcoming “Locked Shields” exercise, which will mobilize digital experts from 26 countries to practice protecting national IT systems and critical infrastructure from a severe cyberattack.
SLIDING INTO YOUR DATA PACKETS LIKE… — Hackers with links to Turkey abused DNS to hijack and spy on the internet traffic of at least 30 Middle Eastern government agencies and private-sector organizations, Reuters reported on Monday. The espionage operation, which occurred in late 2018 and early 2019, targeted Cypriot, Greek, Albanian and Iraqi government offices, according to Reuters. A private-sector cyber expert said a breach at Albania’s intelligence agency compromised “hundreds of usernames and passwords,” though the agency said it didn’t affect “any information classified as ‘state secret’ of any level.”
U.S. and British officials told Reuters that they believed Turkey was behind the campaign based on overlapping infrastructure, geopolitics and “confidential intelligence assessments that they declined to detail.” Among the non-government targets was a Turkish religious group that conservative media outlets in the country claim is linked to Fethullah Gulen, a Turkish cleric living in the U.S. whom President Recep Tayyip Erdoğan’s regime accuses of orchestrating a failed coup.
Cisco researchers first revealed the campaign in April 2019 and attributed it to a group they called “Sea Turtle.” In a follow-up report three months later, they assessed that the then-unknown threat actor “regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure.” Officials told Reuters that they still weren’t sure which specific Turkish-aligned groups conducted the attacks.
PEPSI AND HOME DEPOT, NO BIGGIE — Avast, the company behind popular free antivirus software, drew scrutiny from senators following a joint investigation on Monday from Motherboard and PC Magazine that found some of the world’s largest corporations are buying up user data that, contrary to Avast’s claims, can be traced back to individual users. Wyden urged the company to do more to protect users, while top Senate Intelligence Democrat Mark Warner of Virginia took aim at the FTC, saying it needed to use its authorities to crack down on data sales.
TWEET OF THE DAY — No thanks.
RECENTLY ON PRO CYBERSECURITY — “Tech before U.S. trade for post-Brexit Britain.” … A Chinese state media outlet reported that hundreds of millions of pieces of personal data were leaked. … The British government will legislate cybersecurity rules on internet-connected devices. … The European Commission is pondering rules to prevent connected car hacking.
— OurMine hacked the Twitter accounts of the NFL and 15 of its teams. Sporting News
— The Aspen Institute says the U.S. needs a “grand strategy” to counter China, including in cyberspace. Inside Cybersecurity
— A DoD acquisition framework could elevate cyber. Inside Cybersecurity
— Indonesian police arrested three men over Magecart-like attacks. CyberScoop
— Tinder’s panic button is sharing data with ad tech companies. Gizmodo
— Third patch is the charm? Wired
— NPR previewed the National Association of Secretaries of State meeting this weekend.
That’s all for today.
Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Mary Lee (mlee@politico.com, @maryjylee) Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).
