With help from Eric Geller and Martin Matishak
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
Advertisement
— U.S. agencies offered a reward for information on North Korean hackers, and revealed some surprising news about how they operate.
— The North Carolina NAACP sued the state and counties for using a voting machine that it contends is vulnerable to cyberattacks.
— Syrian hackers have adopted coronavirus-themed phishing lures, researchers said in a report released today.
HAPPY THURSDAY and welcome to Morning Cybersecurity! Holy wow, how did we miss this? Black magic! Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
POLITICO Pro is here to help you navigate these unprecedented times. Check out our new Covid-19 Coverage Roundup, which provides a daily summary of top Covid-19 news coverage from across all 16 federal policy verticals as well as premium content, such as DataPoint graphics. Please sign up at our settings page to receive this unique roundup sent directly to your inbox every weekday afternoon.
Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.
WHAT PYONGYANG’S HACKERS DO ON THE SIDE — What at first glance might have seemed a mere U.S. government summary of existing information about North Korean hacking turned out to have a bit more to it. The advisory, issued Wednesday by the FBI and the departments of State, Homeland Security and Treasury to “raise the awareness of the cyber threat posed by North Korea,” also revealed that the State Department was offering up to a $5 million reward for information about illicit North Korean activity in cyberspace.
And FireEye noticed that it spelled out some hitherto unrevealed information: “The most interesting revelation to come out of this morning’s report was that North Korean hackers were offering their services to third parties and being paid to work as hackers-for-hire,” John Hultquist, senior director of intelligence analysis, said in an email. “Though we knew that these operators were involved in freelancing and other commercial activity such as software development we had no evidence that they were carrying out intrusions and attacks on behalf of anyone other than the North Korean regime.” It’s not uncommon for hackers working for nation-states to moonlight as criminals, but it is rare for them to do so with that nation-state’s knowledge, Hultquist said.
Asked about the timing of the report, a State Department spokesperson answered: “The U.S. government regularly shares cyber threat information with international partners, the private sector, and the public; the advisory collates the information on existing U.S. government resources in one place and provides a policy overview and recommended steps to counter the North Korean cyber threat.”
TAKING VOTING MACHINES TO COURT — The North Carolina NAACP sued the State Board of Elections and 21 county election boards on Wednesday over voting machines that the civil rights group challenged as “insecure and fatally flawed.” The ExpressVote machines are ballot-marking devices manufactured by Election Systems & Software. The lawsuit devotes the better part of three pages to the cyber risks posed by the machines.
“North Carolina’s ExpressVotes do not achieve the level of security necessary to withstand an attack by a sophisticated adversary such as a hostile foreign government,” the suit reads. “It suffers from serious security risks much like those of the notoriously flawed DRE voting system it has replaced in many counties.”
A spokesperson for the North Carolina Department of Justice said that the department was reviewing the filings.
THE ROAD TO DAMASCUS — A long-running Syrian government surveillance operation has incorporated coronavirus lures to entice victims into installing its mobile malware, Lookout researchers said in a report out today. Hackers using infrastructure associated with the Syrian Electronic Army have been spreading 71 malware-laden Android apps since January 2018, according to Lookout. In late March, the operators created a “Covid19” app, which installs a second app that claims to take a user’s temperature using their fingerprint. In reality, the “Degree Measure” app deploys the AndoServer malware, which can capture GPS data, steal call logs and text messages, launch other apps, take screenshots and record audio, among other functions.
This app, like the others used in the campaign, never appeared in the official Android app marketplace, Lookout said, meaning it was “likely distributed through actor-operated watering holes or third-party app stores.” Such tactics have become increasingly common as Google cracks down on malicious apps on its official platform.
Lookout linked the campaign to Syria based on command-and-control infrastructure overlap and references in hastily scrubbed application files to a name found in known Syrian Electronic Army malware. The company also said that it made sense for the Syrians to modify commodity malware for surveillance; the vast majority of the campaign’s malicious apps (64 of 71) use the SpyNote commercial malware, while the rest use malware (including AndoServer and SLRat) that is likely for sale in select markets. The company said there were “likely more [boutique spyware apps] to be discovered.”
OPEN FOR BUSINESS — Covid-19 has wreaked havoc on the U.S. economy, but cybersecurity jobs don’t look as though they’ve been affected much, training company CyberVista said in a report released today. LinkedIn lists 261,545 cybersecurity jobs posted within the past month, CyberVista observed. “The sudden shift to remote and distance work created a dire need for cybersecurity professionals to secure networks, technology, and personnel activity,” it said. “This is particularly true of some of the most affected areas due to COVID-19 and the open job data underscores this point”: Cyber openings in California are up slightly, for instance, and are only down 2.5 percent in New York.
RANSOMWARE: NOW WITH TWICE THE EXTORTION — Check Point saw the “double extortion” ransomware tactic more frequently in the first quarter of this year, it said in a report this morning. The tactic involves hackers stealing data, encrypting systems, leaking a small part of the data and then threatening to leak more if the ransom isn’t paid. The method first reared its head in November, and cybercriminals have increasingly adopted it. “We’re especially worried about hospitals having to face this threat,” said Lotem Finkelsteen, manager of threat intelligence. “With their focus on coronavirus patients, addressing a double extortion ransomware attack would be very difficult.”
EVEN ‘ANGRY BIRDS’ ISN’T SACRED — An Iranian disinformation group has been spreading word that the U.S. created the coronavirus and is hindering Iran’s response, Graphika said in a report released on Wednesday. The International Union of Virtual Media creates videos, memes and articles to spread a message that comports with the goals of the Iranian government. The coronavirus-themed campaign also praises Iranian and Chinese leaders, Graphika said. Still, it doesn’t seem like the message has taken hold too well. “The IUVM operation is significant and manned by a well-resourced and persistent actor, but its effectiveness should not be overstated,” the company said.
TEN AND COUNTING — The Air Force’s latest bug bounty competition uncovered 460 vulnerabilities in the service’s Virtual Data Center, a collection of cloud-based servers and systems. The four-week, remote “Hack the Air Force 4.0” — administered by the Defense Digital Service and HackerOne, which announced the results on Wednesday— saw 60 vetted hackers earn more than $290,000 in payouts. The challenge allowed DDS to “expand the program to new U.S. Air Force assets to further bolster cyber defenses against our adversaries,” expert Anil Dewan said in a statement. The competition was the 10th bug bounty stemming from 2016’s high-profile “Hack the Pentagon” effort.
TWEET OF THE DAY — Literally throwing shade.
RECENTLY ON PRO CYBERSECURITY — Cloudflare is offering free security protections to state and local governments during the pandemic. … Sen. Richard Burr (R-N.C.) owes the country an explanation about his stock trades while he was receiving coronavirus briefings, fellow North Carolina Sen. Thom Tillis said. … “EU Zooms ahead, despite worries over app.” … President Donald Trump enlisted top tech and telecommunications leaders for his Great American Economic Revival Industry Groups.
— Luta Security founder and CEO Katie Moussouris has joined Zoom as a security adviser, Zoom announced on Wednesday. Luta Security will help Zoom reboot its bug bounty program.
— Motherboard: Hackers are asking $500,000 for a critical Zoom zero day exploit.
— Lawfare: Eileen Decker of the Los Angeles Police Commission and Mieke Eoyang of Third Way wrote about the need for better cybercrime data.
— VMware Carbon Black said global organizations are seeing a 148 percent spike in ransomware attacks during Covid-19.
— Protocol: “How to manage Slack and email for laid-off and furloughed workers.”
— Reason: The Supreme Court might take its first major Computer Fraud and Abuse Act case.
— CyberScoop: Hackers are using a new video game to try to steal gamers’ credentials.
— Yahoo News: The White House missed a deadline from Capitol Hill on explaining the firing of the intelligence community’s inspector general.
— Daily Beast: Attorney General William Barr asked Australia for help on a review of the Russia probe while the Justice Department was working to free two of the country’s hostages in Iran.
— Associated Press: “Would you give up health or location data to return to work?”
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).
- Tim Starks @timstarks
- Eric Geller @ericgeller
- Martin Matishak @martinmatishak
Report on North Korean hacking offers a surprise twist
0 Comments: