Tag Archives: Department

CISA identifies malware from North Korean hacking group

The Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the FBI and Department of Defense, identified three new variants of malware used by a state-sponsored North Korean hacking group.

The three malware variants are known as Copperhedge, Pebbledash and Taintedscribe; Copperhedge is a remote access tool, and the latter two are Trojans. CISA attributed the malware to Hidden Cobra (AKA Lazarus Group), which is credited with much of the nation’s malicious state-sponsored activity, including Copperhedge, Pebbledash and Taintedscribe.

The CISA alert did not specify how the malware variants were being used by nation-state hackers, or what entities were being targeting, but the agency did say the malware was being used in current threat activity.

“[The] FBI has high confidence that Hidden Cobra actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” the CISA malware analysis report said.

U.S. Cyber Command put the malware samples of all three variants on VirusTotal, a website and tool for file and URL analysis, so that other organizations and enterprises can analyze and block them. The CISA alert urged users and administrators to review the samples in VirusTotal, as well as CISA’s malware analysis reports, to better defend themselves against the threats.

North Korea has a history of malicious cyber activity, which includes notable exploits such as the 2014 Sony Pictures hack and the 2013 Dark Seoul attacks. Much of its reported malware has consisted of Trojans, but other types of malware are represented as well, such as proxy malware, worms, the WannaCry ransomware and more.

A CISA representative declined to comment further on the alert.

Go to Original Article
Author:

Experts weigh in on risk of Iranian cyberattacks against U.S.

The Department of Homeland Security warned of potential of Iranian cyberattacks against the U.S., and security experts weighed in on the risks facing enterprises.

In the bulletin, released Saturday as part of the National Terrorism Advisory System, DHS said there was no indication that attacks from Iran were imminent, but noted the country and its allies “have demonstrated the intent and capability to conduct operations in the United States.” The bulletin was issued in the wake of escalating military conflict with Iran.

“Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” DHS wrote in the bulletin. “Be prepared for cyber disruptions, suspicious emails, and network delays. Implement basic cyber hygiene practices such as effecting data backups and employing multi-factor authentication [MFA].”

In general, experts agreed there is a legitimate threat of Iranian cyberattacks against U.S. entities and many added that while Iran has offensive cyber capabilities, they are not known to have capabilities on the level of the U.S., China or Russia.

Rick Holland, CISO and vice president of strategy at Digital Shadows in San Francisco, said Iran has proven the ability to cause damage with cyberattacks.

“Iranian offensive cyber capabilities have grown significantly since the days of Stuxnet, which was a catalyst for the Iranian regime to mature their capabilities,” Holland told SearchSecurity. “While Iran isn’t as mature as the United States, Russia or China, they are capable of causing damage. Destructive or wiper malware like Iran used against Saudi Aramco could cause significant damage to their targets.”

Robert M. Lee, CEO and founder of Dragos, said Iran has “consistently been growing their capabilities and are aggressive and willing to be as destructive as they can be.”

“We’re unlikely to see widespread issues or scenarios such as disrupting electric power but it’s entirely possible we will see opportunistic responses to whatever damage they think they can inflict,” Lee told SearchSecurity. “Iran has shown previously to be opportunistic in its targeting of infrastructure with denial of service attacks against banks as well as trying to get access to industrial control systems in electric and water companies. While it is important to think where strategic targets would be for them, it’s just as relevant that they might search for those who are more insecure to be able to have an effect instead of a larger effect on a harder target.”

High disruption value

While DHS was unclear what organizations Iran might target with cyberoperations, some experts tended to agree with Lee that infrastructure and financial targets would be most likely.

Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., classified Iran as having “moderately sophisticated capabilities.”

“They aren’t on par with Russia or China, but they aren’t script kiddies either. Iran will most likely target defense industrial base and financial institutions — basically, targets that have a high disruption value,” Williams told SearchSecurity. “For an enterprise, the things to keep in mind are DDoS and early indicators of compromise for defense industrial base organizations. Of course, Iran could target other verticals, but we assess these to be the most likely initial targets.”

Levi Gundert, vice president of intelligence and risk at Recorded Future, noted that “Iranian sponsored groups are constantly probing potential targets for weaknesses toward intelligence gathering.”

“When provoked, these groups have also successfully demonstrated retaliatory cyberattacks. Based on historical precedent, Iran retaliates with destructive attacks against perceived threatening organizations (e.g. Sands Corporation), or they attack businesses toward achieving economic impact — large American financial service companies (Operation Ababil) and Saudi Aramco are two good examples,” Gundert told SearchSecurity via email. “We believe the most likely targets of cyberattacks remain the United States government, contractors, and partner businesses involved in U.S. regional interests.”

However, Chris Morales, head of security analytics at threat detection vendor Vectra in San Jose, Calif., said “everyone could be at risk” of an Iranian cyberattack.

“While certain industries were targeted in the past for disruption or for data theft, there is no limitation to who could be targeted in an asymmetric attack that involves disruption, misdirection and confusion,” Morales told SearchSecurity. “Earlier state-sponsored Iranian actors stole only basic information, but over the past few years they have been building long-term espionage campaigns. The risk here being in many cases Iranian actors already persist inside networks and it becomes a case of identifying their presence and removing them.”

Holland said the risk of being targeted by Iran would be low for most organizations, but enterprises should perform threat modeling by asking:

  • How do Iranian interests intersect your business?
  • How has historic Iranian targeting/victimology related to your company?
  • How does the Iranian threat stack up against your supply chain?

Protecting your organization

Experts agreed that taking care of the basics is probably the best approach to defend against possible Iranian cyberattacks.

Dr. Chase Cunningham, principal analyst serving security and risk professionals for Forrester Research, suggested enterprises “fix the easy stuff: deploy MFA everywhere; bolster DDoS defense and make sure email security is in place. Other than that, brace for impact and maintain situational awareness.”

Holland said enterprises “shouldn’t have to take any extraordinary measures.”

“Patch operating systems and applications. Disable Microsoft Office macros. Implement application whitelisting. Restrict admin privileges. Disable external-facing Remote Desktop Protocol,” Holland said. “Enable multi-factor authentication for external-facing applications and privileged users. Monitor for malicious domains registrations related to your organization.”

Gundert suggested organizations “take the time to understand Iranian sponsored groups’ historical tools, tactics, and techniques.”

“These groups typically achieve initial unauthorized access through password re-use, phishing, and/or web shells,” Gundert said. “Now is a great time to review and improve security controls for each threat category, as well as visibility into post-compromise activity like the usage of native Windows tools.”

Lee said the best approach is for cybersecurity professionals to “be in a heightened sense of awareness and put the investments they’ve made into people, process, and technology to use.”

“For companies that have yet to make proper investments into the cybersecurity of their business, there is not much that can be done quickly in situations like this,” Lee said. “Companies need to prepare ahead of these moments and these moments and any angst felt should serve as an opportunity to look internally to determine what your plans would be especially for incident response and disaster recovery.”

Go to Original Article
Author:

Pentagon CMMC program to vet contractor cybersecurity

The U.S. Department of Defense is aiming to secure its supply chain with the cybersecurity maturity model certification, or CMMC program, which will vet potential third-party contractors.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, said at a news conference at the Pentagon that the CMCC program “will measure technical capabilities and process maturity” for organizations in the running for new defense contracts.

Although the full details of the CMMC program won’t be made public until January, Lord described it as a five-tier framework in which each level of certification is specifically designed based on how critical the work of the contractor would be. The CMMC program is scheduled to be fully implemented by June 2020.

Dan Fallon, senior director of public sector systems engineers at Nutanix, said programs like CMMC “create or enhance standard practices and responsibilities around cybersecurity are essential to improving security posture.”

“It is great to see the DOD engaged in a strategic, comprehensive, and measured approach to ensuring the security of the products and vendors with whom they work,” Fallon told SearchSecurity. “Furthermore, the Department’s concerted effort in sourcing input from the private sector in developing these standards is a strong indication of its understanding that even with additional cybersecurity policy, overall security will always remain a shared responsibility between vendors and government agencies. After all, there is no one silver bullet to make an agency invulnerable to attack.”

Theresa Payton, president and CEO of Fortalice Solutions and former White House CIO, said the CMMC program “is a good next step to improve supply chain security for the DOD through its contractors and sub-contractors.” 

“In the wake of data breaches where the weakest link was a contractor, these are important next steps,” Payton told SearchSecurity via email. She added that if she “were to prioritize security elements for every contractor and subcontractor to meet it would be: 1. ensure that all data in rest and in transit and at points of consumption are encrypted; 2. have a regular review process of user access controls and authorizations to include third party applications and system to system interactions that are tested; 3. create kill switches that can be flipped if there is a suspected intrusion; 4. ongoing training and awareness.”

The full details of the CMMC program requirements won’t be known until next month, but Lord did promise the expectations, measurements and metrics used will be “crystal clear,” and audits of potential contractors will be done by a third party that should be chosen by next month as well.

Additionally, Lord said at the Ronald Reagan National Defense Forum in Simi Valley, Calif. earlier this week that the DOD expects the weakest links in the supply chain to be the lower tier, smaller companies who may not be able to afford to meet the requirements. As such, the DoD is planning ways to ensure smaller contactors can meet a basic level of cybersecurity via “broader certifications” that will be detailed more in the next three months.

Payton said she was “encouraged to see that the DOD specifically noted that it will help smaller contractors to meet requirements.”

“This will encourage many to embark on this endeavor,” Payton said. “A rising tide lifts all boats so if the DOD would extend free software, tools, and tips and techniques to their supply chain they will naturally lift the security of the DOD ecosystem.”

Government contractor risks

The history of cybersecurity risks and third-party contractors can be traced back years. The most famous example was whistleblower Edward Snowden, a contractor for Booz Allen, who stole and leaked information about NSA phone metadata tracking practices in 2013.

In 2015, a breach of the Office of Personnel Management affected millions and the ensuing investigation found that the threat actors gained access to systems in part by using credentials stolen from government contractors.

The DOD had two issues in 2017 linked to contractors. In August, an AWS S3 bucket containing unclassified data from the DOD was discovered to be publicly accessible due to misconfiguration by Booz Allen Hamilton. In November, another S3 bucket containing DOD data, this one built by contractor VendorX, was discovered to be exposed.

Payton said there’s a simple reason why these past issues didn’t lead to faster action by the government.

“There is a fundamental disconnect between the rate at which technology evolves and the rate at which bureaucracy reacts. What we’re dealing with here is a failure of systems,” Payton said. “It’s never too late to learn from past mistakes, but ultimately, we need real-time solutions not just to today’s obstacles and threats but to tomorrow’s as well.” 

Go to Original Article
Author:

Business and innovation tips for your Imagine Cup project

Editor’s note: This blog was contributed by the U.S. Department of Global Innovation through Science and Technology (GIST)GIST is led by the U.S. Department of State and implemented by VentureWell 

Microsoft’s Imagine Cup empowers student developers and aspiring entrepreneurs from all academic backgrounds to bring an idea to life with technology. Through competition and collaboration, it provides an opportunity to develop an application, create a business plan, and gain a keen understanding of whats needed to bring a concept to market to make an impact.We’ve partnered with GIST to provide some top tips for turning your idea into a marketable business solution and prepare you to present it effectively on a global stage. 

Key things to consider when developing a business idea

1. Assess whether your product is truly novel 

In the early development stages of a new idea, it’s important to assess whether your idea already exists in the current market and if so, what unique solution your application can provide. 

In the world of intellectual property law, “prior art” is the term used for relevant information that was publicly available before a patent claim. For example, if your company is working on a new type of football helmet, but another company has already given an interview about their own plans to invent such a helmet, that constitutes prior art – and it means your patent claim is likely to face a steep uphill battle. Start by asking yourself if your project is truly novelWhat problem does your application solve?  Are there similar solutions already on the market? If necessary, work with your university to establish if a patent already exists. 

2. Learn to take feedback  

It’s easy to get attached to an invention. However, being too lovestruck with your technology can prevent you from absorbing vital feedback from customers, professors, mentors, even teammates. “Feedback is learning,” says Dr. Lawrence Neeley, Associate Professor of Design and Entrepreneurship at Olin College of Engineering“Sure, feedback can hurt, but understand that you can’t improve your invention without learning what’s wrong with it. Feedback is a mechanism for growth.” In addition, don’t lose sight of the passion that originally drove you to developing a solution, as it can put you in the right mindset to listen to feedback. By keeping the core problem at the forefront, you can more effectively pivot your technology and business model to better address market demands. Read more about how to balance your passion with real-life data to make your project shine.

3. Incorporate diversity & inclusion 

Empower everyone to benefit from your solution by considering diversity and inclusion in your project early on. “When accessibility is at the heart of inclusive design, we not only make technology that is accessible for people with disabilities, we invest in the future of natural user interface design and improved usability for everyone,” says Megan Lawrence, an Accessibility Technical Evangelist at Microsoft. Check out some resources to help you build inclusion into your innovation: 

  • Use Accessibility Insights to run accessibility testing on web pages and applications. 
  • Learn how to create inclusive design through video tutorials and downloadable toolkits. 
  • Read the story of two Microsoft teams at Ability Hacks who embraced the transformative power of technology to create inclusive solutions now used by millions of people. 

Read more tips on using inclusion as a lens to drive innovation. 

4. Consider environmental responsibility 

To maximize impact from the start, it’s critical that student innovators develop an environmentally responsible mindset at the earliest stages of their innovation, business, or manufacturing process. Here are some examples from student innovators of how they integrated environmental responsibility into their business models: 

  • Use renewable energy sources where possible, such as solar power or implementing recycling processes. 
  • Incorporate sustainable processes through things like reducing packaging, limiting plastic waste, and sourcing materials that are reusable or biodegradable.  
  • Create an innovation that solves a key environmental issue or repurposes harmful by-products, such as recovering metal water contaminants or converting ocean waste.  

Read more about how they leveraged sustainability in their projects. 

Maximizing resources for your innovation 

It can be a challenge to seek support resources as a student entrepreneur.  Here are some top tips for maximizing on and off-campus benefits while you’re still in school  – check out additional advice if you’re interested in learning more.  

1. Take stock of university resources 

Assess what skills you may need beyond just technical and talk to faculty or administrators to develop a roadmap for your time in school. For instance, seek out seminars or courses in different departments to help sharpen writing or public speaking skills, or visit your university library to find out what resources they have to offer student entrepreneurs such as makerspaces, workshops, or guest lectures. 

2. Maximize networking opportunities 

Connect with others through LinkedIn, your university’s alumni network, classes, hackathons, and more to network with industry-specific experts. Pro-tip: Imagine Cup connects you to a global community of like-minded tech enthusiasts to collaborate and innovate together, in addition to giving you access to industry professionals. 

3. Take advantage of competitions  

Approach competitions as not just an opportunity to win, but also to further refine your project and go-to-market planLeverage feedback and insights from judges, mentors, and peers to continue ideating and developing a marketable solution.   

Build business skills through hands-on innovation 

What better way to put these tips into practice than through bringing your own solution to life? The Imagine Cup is your opportunity to build a technology innovation from what you’re most passionate about. Regardless of where you place in the competition, youll have the chance to connect with likeminded tech enthusiasts across the globe, including joining a network of over two million past competitors. In addition, teams who advance to the Regional Finals will receive mentorship from industry professionals and in-person entrepreneurship workshops from GISTled by the U.S. Department of State and implemented by VentureWellthelp elevate their solutions.   

Learn by doing, code for impact, and build purpose from your passion. Register now for the 2020 competition. 

 

Go to Original Article
Author: Microsoft News Center

Microsoft wins $10 billion JEDI contract over AWS

Microsoft has been awarded the U.S. Department of Defense’s controversial JEDI contract over AWS in a surprise development that could be remembered as a watershed moment in the battle for market share among hyperscale cloud computing providers.

AWS had widely been expected to win the Joint Enterprise Defense Infrastructure contract, which was first announced in September 2017 and vigorously pursued by IBM, Oracle, Google and Microsoft. The DoD narrowed the field of candidates to AWS and Microsoft in April, and in July a judge tossed out a federal lawsuit brought by Oracle in protest of the process.

AWS had a perceived leg up on competitors for the JEDI contract, thanks not only to the breadth and depth of its cloud platform, but due to precedent. Several years ago, AWS landed a $600 million contract with the CIA centered on further development of the intelligence agency’s big data analytics capabilities.

Still, in May 2018, Microsoft said it had won a contract worth hundreds of millions of dollars that would see a panoply of U.S. intelligence agencies use its Azure Government service.

The DoD’s JEDI proposal, as laid out in a November 2017 memo, calls for a 10-year contract with a single provider to create a “highly available, exponentially elastic, secure, resilient cloud computing environment that seamlessly extends from the homefront to the tactical edge.”

The JEDI contract is worth up to $10 billion over the life of the agreement, but the base contract period is for just two years with $1 million guaranteed, according to the DoD.  About $210 million is expected to be spent during the initial two years, but the remainder of the contract is subject to rigorous ongoing reviews, the DoD said.

AWS could not immediately be reached for comment, but in published reports, a company spokesperson expressed surprise at the result.

“AWS is the clear leader in cloud computing, and a detailed assessment purely on the comparative offerings clearly lead to a different conclusion,” the company said.

The specter of presidential politics has loomed over the JEDI contract saga, with President Donald Trump – a harsh critic of Amazon CEO Jeff Bezos – saying in July that his administration planned to scrutinize Amazon’s JEDI bid in the wake of complaints about the award process from AWS competitors.

It isn’t immediately clear whether Amazon can or will pursue additional recourse following the JEDI contract award to Microsoft.

“All offerors were treated fairly and evaluated consistently with the solicitation’s stated evaluation criteria,” the DOD said in a statement. “Prior to the award, the department conferred with the DOD Inspector General, which informed the decision to proceed.”

While the Pentagon plans to eventually move 80% of its internal systems to the platform created by JEDI, it maintains many other cloud services. It also “continues to assess and pursue various cloud contracting opportunities,” according to a statement.

The cloud infrastructure market is worth about $100 billion at present, according to new numbers from Synergy Research. AWS has about 33.5% share of that market, with Microsoft at about 16.5%, Synergy reported.

AWS may still have a healthy lead over Microsoft, but the JEDI award gives the latter not only bragging rights but also a high-profile testimony to Azure’s readiness for the world’s most critical and sensitive workloads, which could prove quite valuable in negotiating other large-scale deals.

More details of the DoD’s decision-making process could be learned in coming days. In recent months, there had been some speculation the DoD would add an additional vendor to the JEDI contract after an initial award, both to hedge its strategic bets and mollify critics.

This is a breaking news story. More details to follow.

Go to Original Article
Author:

Lazarus Group hacker charged in Wannacry, Sony attacks

The Department of Justice has officially charged one member of the North Korean Lazarus Group for his role in the Wannacry attacks, the Sony Pictures breach, theft on the SWIFT banking system and more.

Nathan Shields, special agent for the FBI, filed an affidavit of complaint against the Lazarus Group hacker, Park Jin Hyok, on June 8, 2018, but the charges were made public Sept. 6.

Park was charged with conspiring to commit “unauthorized access to computer and obtaining information, with intent to defraud, and causing damage, and extortion related to computer intrusion” and wire fraud.

“The evidence set forth herein was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued … and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies,” Shields wrote in the affidavit.

Shields wrote that the affidavit was “made in support of a criminal complaint against, and arrest warrant” for Park, but there is no indication the DoJ knows where Park is currently located. The last mention in the affidavit noted Park returned to North Korea in 2014 after spending three years working for North Korean company Chosun Expo in China.

Although Park was the lone Lazarus Group hacker named in the filing, the entire North Korean team was implicated in the 2014 Sony Pictures breach, the 2016 theft of $81 million from Bangladesh Bank via the SWIFT network, the 2017 Wannacry ransomware attack as well as “numerous other attacks or intrusions on the entertainment, financial services, defense, technology and virtual currency industries, as well as academia and electric utilities.”

“In 2016 and 2017, the conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea,” the U.S. Attorney’s Office for the Central District of California wrote in its  press release. “The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.”

Confirmation of North Korean involvement

Park is the first Lazarus Group hacker named and officially charged by the U.S. government, but the Lazarus Group and North Korea has been connected to attacks before.

As far back as Dec. 2014, the FBI stated there was enough evidence to conclude that North Korea was behind the attack on Sony Pictures. And, in Dec. 2017 both the U.S. and U.K. governments blamed the Wannacry attacks on North Korea.

The affidavit detailed the use of the Brambul worm, which was malware attributed to the Lazarus Group in a US-CERT security alert issued by the FBI and Department of Homeland Security in May 2018.

However, while the confirmation of North Korean involvement was generally praised by experts, not all were happy that Park was the only Lazarus Group hacker to be named and charged.

Jake Williams, founder and CEO of Rendition Infosec, based in Atlanta, wrote on Twitter that it was a “human rights issue” to charge Park because the Lazarus Group hacker “likely had zero choice in his actions.”

DHS details electrical grid attacks by Russian agents

The Department of Homeland Security has offered more details on electrical grid attacks by Russian agents, and experts said the details show how air-gapping isn’t as secure as some may think.

In a briefing on Monday, DHS officials expanded on details of electrical grid attacks by Russian groups like Dragonfly 2.0. The briefing was the first time DHS released this amount of information in an unclassified setting, according to a report by The Wall Street Journal.

DHS said Russian hackers first targeted key industrial control vendors in order to steal credentials and access air-gapped and isolated utility networks. DHS also expanded the scope of the electrical grid attacks, saying there were “hundreds of victims,” although it is unclear if “victims” in this case refers to systems, substations, or utilities and vendors combined. Attackers reportedly stole confidential information about the utilities to learn how the industrial control systems (ICS) work and DHS said they had enough access to “throw switches.”

Ray DeMeo, COO and co-founder of Virsec, noted that “relying on air-gapping for security is a dangerous anachronism.”

Air gaps are easily being bridged by social engineering, password theft, or, in the case of Stuxnet, a few rogue USBs left in Tehran coffee houses. With the increasing convergence of IT and OT systems, the control systems that manage critical infrastructure are increasingly networked and connected,” DeMeo wrote via email. “Plus, conventional security tools that rely on signatures must be connected in order to get the latest updates. Almost all of the recent attacks, successful attacks on power plants and other critical infrastructure have bypassed air gaps.”

Rohyt Belani, CEO and co-founder of Cofense, said even with isolation electrical grid attacks are still possible.

“Even though SCADA networks and other critical infrastructure may be segmented, there are always legitimate remote access systems in place from where administrators of those systems can log in and control them,” Belani wrote via email. “Attackers often gain their initial foothold in a corporate network via spear phishing and then move laterally to identify such key systems, which they then attempt to compromise to further their sphere of influence into critical systems.”

Michael Magrath, director of global regulations and standards at OneSpan Inc., said these electrical grid attacks, like other hacks “exploit the weakest link in the security chain — the people.” Magrath was also concerned about part of The Wall Street Journal report that claimed DHS was investigating if Russian hackers had ways to defeat multifactor authentication.

“To be clear, multifactor authentication is not ‘one size fits all.’ There are numerous approaches and technologies available with varying degrees of security and usability. For example, one-time passwords transmitted via SMS are very convenient and widely deployed. However, this multifactor authentication approach has been proven to be unsecure with [one-time passwords] being intercepted,” Magrath wrote via email. “Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.” 

DHS claimed it has been warning utilities about potential attacks since 2014. Joseph Kucic, CSO at Cavirin, said via email the utilities “have failed to implement the necessary changes so DHS went public to embarrass the utilities into taking the needed actions (timing was on the DHS side with all the Russia media attention).” 

David Vergara, head of security product marketing at OneSpan Inc., said “this is big game hunting for cybercriminals.”

“The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure,” Vergara wrote via email. “It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties.”

Potential damage of electrical grid attacks

It was unclear from the DHS report what the extent of damage these electrical grid attacks could be.

Katherine Gronberg, vice president of government affairs at ForeScout Technologies, said in the past, electrical grid attacks were “ostensibly motivated by money, business disruption, hacktivism or espionage.”

“Now, we are facing a very real and targeted threat to U.S. national security. A successful attack on systems such as power plants, dams or the electric grid could have severe repercussions and could possibly lead to the loss of human life and disruption of society,” Gronberg wrote via email. “With so much on the line, securing critical infrastructure must be top of mind. Recent efforts by the DHS, DOE and key congressional committees suggest that it is. But we have to tackle this problem as the shared responsibility it is. It likely will entail some difficult decisions at all levels, from policymakers to power producers to consumers.”

Andrea Carcano, co-founder and CPO of Nozomi Networks, noted that since the electrical grid attacks reported by DHS didn’t result in blackouts, it raises the “question if the attackers intentionally only went so far.”

“Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay,” Carcano wrote via email. “It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”

Healthcare APIs get a new trial run for Medicare claims

In the ongoing battle to make healthcare data ubiquitous, the U.S. Digital Service for the Department of Health and Human Services has developed a new API, Blue Button 2.0, aimed at sharing Medicare claims information.

Blue Button 2.0 is part of an API-first strategy within HHS’ Centers for Medicare and Medicaid Services, and it comes at a time when a number of major companies, including Apple, have embraced the potential of healthcare APIs. APIs are the building blocks of applications and make it easier for developers to create software that can easily share information in a standardized way. Like Apple’s Health Records API, Blue Button 2.0 is based on a widely accepted healthcare API standard known as Fast Healthcare Interoperability Resources, or FHIR

Blue Button 2.0 is the API gateway to 53 million Medicare beneficiaries, including comprehensive part A, B and D data. “We’re starting to recognize that claims data has value in understanding the places a person has been in the healthcare ecosystem,” said Shannon Sartin, executive director of the U.S. Digital Service at HHS.

“But the problem is, how do you take a document that is mostly codes with very high-level information that’s not digestible and make it useful for a nonhealth-savvy individual? You want a third-party app to add value to that information,” Sartin said.

So, her team was asked to work on this problem. And out of their work, Blue Button 2.0 was born.

More than 500 developers have signed on

To date, over 500 developers are working with the new API to develop applications that bring claims data to consumers, providers, hospitals and, ultimately, into an EHR, Sartin said. But while there is a lot of interest, Sartin said this is just the first step when it comes to healthcare APIs.

“The government does not build products super well, and it does not do the marketing engagement necessary to get someone interested in using it,” she said. “We’re taking a different approach, acting as evangelists, and we’re spending time growing the community.”

And while a large number of developers are experimenting with Blue Button 2.0, Sartin’s group will be heavily vetting to eventually get to a much smaller number that will release applications due to privacy concerns around the claims data.

Looking for a user-friendly approach

We’re … acting as evangelists, and we’re spending time growing the community.
Shannon Sartinexecutive director of the U.S. Digital Service at HHS

In theory, the applications will make it easier for a Medicare consumer to let third parties access their claims information and then, in turn, make that data meaningful and actionable. But Arielle Trzcinski, senior analyst serving application development and delivery at Forrester Research, said she is concerned Blue Button 2.0 isn’t pushing the efforts around healthcare APIs far enough.

“Claims information is not the full picture,” she said. “If we’re truly making EHR records portable and something the consumer can own, you have to have beneficiaries download their medical information. That’s great, but how are they going to share it? What’s interesting about the Apple effort as a consumer is that you’re able to share that information with another provider. And it’s easy, because it’s all on your phone. I haven’t seen from Medicare yet how they might do it in the same user-friendly way.”

Sartin acknowledged Blue Button 2.0 takes aim at just a part of the bigger problem.

“My team is focused just on CMS and healthcare in a very narrow way. We recognize there are broader data and healthcare issues,” she said.

But when it comes to the world of healthcare APIs, it’s important to take that first step. And it’s also important to remember the complexity of the job ahead, something Sartin said her team — top-notch developers from private industry who chose government service to help — realized after they jumped in to the world of healthcare APIs. 

“We have engineers who’ve not worked in healthcare who thought the FHIR standard was overly complex,” she said. “But when you start to dig in to the complexity of health data, you recognize sharing health data with each doctor means something different. This is not as seamless as with banks that can standardize on numbers. There, a one is a one. But in health terminology, a one can mean 10 different things. You can’t normalize it. Having an outside perspective forces the health community to question it all.”

Russian intelligence officers indicted for DNC hack

The Department of Justice announced Friday the indictment of 12 members of Russia’s GRU intelligence agency in relation to the 2016 breaches of the Democratic National Committee and Hillary Clinton’s presidential campaign.

The grand jury indictment, which is part of Special Counsel Robert Mueller’s investigation into Russian interference with the 2016 presidential election, claimed the 12 intelligence officers were engaged in a “sustained effort” to hack into the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC) and the Clinton campaign. The DNC hack led to confidential emails becoming public via WikiLeaks, which negatively impacted the Clinton campaign and Democratic Party.

The grand jury indictment alleged the Russian intelligence officers, operating under the online personas “DCLeaks” and “Guccifer 2.0,” leaked information through another entity known as “Organization 1.” The indictment does not mention WikiLeaks by name.

The Justice Department claimed that in 2016, members of Unit 26165 in the Russian government’s Main Intelligence Directorate (GRU) began spearphishing campaign officials and volunteers for Clinton’s presidential campaign; intelligence officers were able to steal usernames and passwords and use those credentials to obtain confidential emails and compromise other systems. The threat actors used similar techniques in the DNC hack as well as the breach of the DCCC’s network.

In addition, the Justice Department claimed Unit 26165, with members of the GRU’s Unit 74455, conspired to release the stolen emails and data in order to influence the election. According to the Department of Justice, Unit 74455 also “conspired to hack into the computers of state boards of elections, secretaries of state, and US companies that supplied software and other technology related to the administration of elections to steal voter data stored on those computers.”

The indictment accused the following individuals of being part of Unit 26165 and Unit 74455, and engaging in the DNC hack and other malicious activity: Viktor Borisovich Netyksho, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev,  Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osadchuk, Aleksey Aleksandrovich Potemkin and Anatoliy Sergeyevich Kovalev.

The 12 GRU officers are accused of 11 criminal counts, including criminal conspiracy against the United States “through cyber operations by the GRU that involved the staged release of stolen documents for the purpose of interfering with the 2016 president election”; aggravated identity theft; conspiracy to launder money; and criminal conspiracy for attempting to hack into certain state boards of elections, secretaries of state, and vendors of U.S. election equipment and software.

The Justice Department emphasized there is “no allegation in the indictment that the charged conduct altered the vote count or changed the outcome of the 2016 election,” and no allegation that any American was a knowing participant in the alleged criminal activity.

DHS, SecureLogix develop TDoS attack defense

The U.S. Department of Homeland Security has partnered with security firm SecureLogix to develop technology to defend against telephony denial-of-service attacks, which remain a significant threat to emergency call centers, banks, schools and hospitals.

The DHS Science and Technology (S&T) Directorate said this week the office and SecureLogix were making “rapid progress” in developing defenses against call spoofing and robocalls — two techniques used by criminals in launching telephony denial-of-service (TDoS) attacks to extort money. Ultimately, the S&T’s goal is to “shift the advantage from TDoS attackers to network administrators.”

To that end, S&T and SecureLogix, based in San Antonio, are developing two TDoS attack defenses. First is a mechanism for identifying the voice recording used in call spoofing, followed by a means to separate legitimate emergency calls from robocalls.

“Several corporations, including many banks and DHS components, have expressed interest in this technology, and SecureLogix will release it into the market in the coming months,” William Bryan, interim undersecretary for S&T at DHS, said in a statement.

In 2017, S&T handed SecureLogix a $100,000 research award to develop anticall-spoofing technology. The company was one of a dozen small tech firms that received similar amounts from S&T to create a variety of security applications.

Filtering out TDoS attack calls

SecureLogix’s technology analyzes and assigns a threat score to each incoming call in real time. Calls with a high score are either terminated or redirected to a lower-priority queue or a third-party call management service.

SecureLogix built its prototype on existing voice security technologies, so it can be deployed in complex voice networks, according to S&T. It also contains a business rules management system and a machine learning engine “that can be extended easily, with limited software modifications.”

Over the last year, SecureLogix deployed the prototype within a customer facility, a cloud environment and a service provider network. The vendor also worked with a 911 emergency call center and large financial institutions.

In March 2013, a large-scale TDoS attack highlighted the threat against the telephone systems of public-sector agencies. An alert issued by DHS and the FBI said extortionists had launched dozens of attacks against the administrative telephone lines of air ambulance and ambulance organizations, hospitals and financial institutions.

Today, the need for TDoS protection has grown from on premises to the cloud, where an increasing number of companies and call centers are signing up for unified communications as a service. In 2017, nearly half of organizations surveyed by Nemertes Research were using or planned to use cloud-based UC.