Official attribution of the Microsoft Exchange Server attacks to China. Threats to industrial control systems. Privateering and APT side-hustles. – The CyberWire

Credit: Original article can be found here

By the CyberWire staff

Official attribution of the Microsoft Exchange Server attacks: allies say it was China.

Monday morning the US, with the concurrence of the Four other Eyes, NATO, Japan, and the European Union, formally attributed an attack on Microsoft Exchange Server to China’s Ministry of State Security. The attribution has long been expected. On May 2nd, Microsoft itself had attributed the incident to Hafnium, which it identified as a “state-sponsored threat actor” that “operates from China.” NSA, CISA, and the FBI have issued a joint cybersecurity advisory this morning on behalf of the US Government that outlines the basis for the attribution, the tactics, techniques, and procedures the Ministry of State Security employed, and a range of suggested mitigations.

The incident’s official attribution to China so far involves no new sanctions or other imposition of costs, the Washington Post reports. Some officials suggest the attribution should set expectations of nation-state behavior in cyberspace.

Reuters reports that among the governments calling out China for cyberespionage is Norway’s, which on Monday publicly attributed a March 10 attack on the parliamentary email system to Beijing. This official attribution has been expected for some time; Chinese intelligence services have been the leading suspect in this incident since early in their investigation. Norway made its attribution in connection with the general accusation by more than thirty nations that China had been engaged in widespread and damaging cyberattacks.

ANSSI, France’s national cybersecurity agency, warned at midweek that APT31 (also known as Zirconium and Judgment Panda, a Chinese industrial espionage group), is hijacking home routers to lend resilience to its attack infrastructure.

July 29 Webinar: Highlights from the MITRE Engenuity ATT&CK Evaluation

This week MITRE Engenuity released its First ATT&CK® Evaluations for ICS to examine how cybersecurity products from five vendors detected the threat of Russian-linked Triton malware. Join our July 29 webinar to hear what it was like to participate in this 5-day simulation from the Dragos team who took part. Register today.

Privateering and APT side-hustles.

Russian toleration of ransomware gangs operating from its territory against targets in other countries was a sticking point in the Russo-American summit and follow-on conversations. The relationship between the gangs and the Kremlin has been described as analogous to privateering: the gangs are able to romp freely through permissible targets and keep whatever they can steal.

The Washington Post described how ransomware has also become a feature of recent Chinese activity. In this case the Ministry of State Security appears to contract with organizations to carry out operations under MSS direction. The contractors are then permitted some latitude for extortion or theft. This is more of a side-hustle than it is privateering. The threat actors aren’t roving cyberspace looking for prizes, but they’re able to take prizes in the course of operating under state direction.

The US says China’s MSS contracts out some of its cyber operations.

The US has said that China’s Ministry of State Security contracted at least part of its exploitation of Microsoft Exchange Servers to criminal organizations. In many cases those gangs were permitted to profit directly from their activities, a White House statement charged.:

“The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit. As detailed in public charging documents unsealed in October 2018 and July and September 2020, hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain. 

“In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.”

Need VPN via cellular or satellite connections, or WAN with private IP addresses?

VPN is commonly used to securely connect remote sites and to allow employees working from home. However, today’s VPN implementations have limitations coming from the use of private IP addresses, or CGNATs by ISPs and mobile operators. Patent-pending Roqos OmniVPNTM, eliminating these limitations, provides Click & Connect VPN connections through any network access within minutes. OmniVPNTM is available on laptops, phones and all Roqos Core appliances which also provides cloud managed, automatically updated cybersecurity and real-time alerts. 

Threats to industrial control systems.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an account of six cyberattacks on industrial control systems that occurred between 2011 and 2016, suggesting that more such attacks may be in the offing. The history is interesting in its specific attribution of the attacks to nation-states: one each to China and Iran, the remaining four to Russia. 

CISA also updated its alert on a Chinese cyber campaign that targeted pipelines between 2011 and 2013. The campaign wasn’t confined to a single pipeline or a single operator, and the attackers generally approached their targets by social engineering. “Twenty-three U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign,” CISA wrote, adding. ”Of the known targeted entities, thirteen were confirmed compromises, three were near misses, and seven had an unknown depth of intrusion.”

The goal of the campaign seemed to be reconnaissance and staging. CISA concluded that, “The U.S. Government has attributed this activity to Chinese state-sponsored actors. CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”

Theft of intellectual property was not the apparent goal. “CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access. One victim organization set up a honeypot that contained decoy documents with content that appeared to be SCADA-related data and sensitive organizational information. According to this organization, the SCADA-related decoy content was exfiltrated within 15 minutes of the time it was made available in the honeypot. Other sensitive decoy information, including financial and business-related information, was ignored.”

The warnings this week, and the attribution of ICS threats to three major hostile states, would seem to figure in the US response to more recent incidents, including not only MSS exploitation of vulnerable Microsoft Exchange Server instances, but also Russian-tolerated or enabled ransomware attacks. It also coincided with the US Transportation Security Administration’s issuance of further security guidelines for pipeline operators. The guidelines were motivated in the first instance by REvil’s ransomware attack on Colonial Pipeline, but CISA’s revisiting of China’s earlier campaign is more than coincidence.

Recruiters and hiring managers – Make your job offers stand out.

Have a competitive advantage against other organizations by offering subscriptions to CyberWire Pro as an additional perk to your benefits package. CyberWire Pro’s special enterprise pricing is an easy and cost-efficient way to attract top candidates in the industry. Contact us today to get started.

China denies responsibility for cyberespionage, and frames itself as the victim of US cyberattacks and disinformation.

China continues to frame criticism of its extensive cyberespionage operations–notably its exploitation of vulnerabilities in Microsoft Exchange Server, but as we’ve seen not confined to that particular campaign–as essentially American-led disinformation. It is, the government-controlled Global Times says, a wide-ranging plot to “slander and contain” China. The co-conspirators include “the US, NATO, the European Union, Australia, Britain, Canada, Japan and New Zealand,” with US President Biden cast in the unlikely role of Professor Moriarity, the criminal mastermind pulling the secret strings. This “unusually broad coalition of Western countries” has coalesced, Global Times argues, “to publicly blame China for cyberattacks.”

Really, Beijing’s representatives say, the international villain is the US, which since 2000 has engaged in relentless cyberespionage against China. It’s all in vain, of course, since China’s rise is ineluctable and irreversible, but still, Beijing says, it’s time the US were brought to book as a rogue state.

Thus the response is a routine tu quoque. One novel wrinkle in the Global Times article is its identification of the SWIFT international fund transfer system as a tool of US Intelligence Community, which uses it to track and presumably influence the flow of money to and through the world’s banks, especially those in the Middle East and Latin America.

Kaseya got a decryptor from somewhere.

Kaseya has obtained a decryptor for REvil ransomware, and is using it to help customers recover their affected data. Kaseya says that it obtained the decryptor from an unnamed “third party,” but adds that it’s working with ransomware decryption specialists Emsisoft who have confirmed the decryptor’s efficacy. Computing speculates about who that unnamed third party might be, and comes up with three leading candidates: “the US government, the Russian government, or a ransom payment to the attackers.”

Controversy over alleged abuse of NSO Group intercept tools.

Forbidden Stories’ Pegasus Project has published the results of a long-running, collaborative investigation of NSO Group. From a leaked list of over fifty-thousand phone numbers “NSO clients selected for surveillance,” investigators determined that one-hundred-eighty journalists in at least five countries were targeted. NSO’s government clients involved in the surveillance include Bahrain, Morocco, Saudi Arabia, India, Mexico, Hungary, Azerbaijan, Togo, and Rwanda. NSO disputes allegations of involvement, but will investigate the “disturbing” possibility of abuse, the Washington Post says.

The Washington Post, one of the organizations participating in the Pegasus Project, writes that among the devices compromised with the tool were phones belonging to “journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi.” NSO Group has consistently said that its product is designed for, and sold to, government law enforcement and security organizations for legitimate purposes, and that the list of 50,000 phone numbers Forbidden Stories and Amnesty International obtained has nothing to do with NSO. “I’ll give you a simple statement: Journalists, human rights activists, and civil organizations are all off-limits,” NSO Group CEO Shalev Hulio told CTECH. Investigations into the use of Pegasus are now underway in France and Israel, and may soon begin in India, Mexico, and Hungary.

NSO Group told the BBC that blaming the company for abusive use of its Pegasus tool is like “criticising a car manufacturer when a drunk driver crashes.” NSO continues to dispute any connection between the leaked list of fifty-thousand alleged targets. “It’s an insane number,” a company representative said. “Our customers have an average of 100 targets a year. Since the beginning of the company, we didn’t have 50,000 targets total.”

Amazon Web Services told Motherboard that the cloud provider has revoked NSO Group’s access to its infrastructure. AWS said “When we learned of this activity,” that is, the targeting of journalists, dissidents, and others with NSO Group’s Pegasus intercept tools, “we acted quickly to shut down the relevant infrastructure and accounts.” NSO Group had used Amazon Web Services’ CloudFront content delivery network. It will no longer be able to do so.

The Guardian’s account of alleged corrupt abuse of surveillance tools suggests other problems with intercept tool proliferation. While much of the attention NSO Group has drawn has centered on its sale of Pegasus to repressive regimes, there are other problems with the tool’s dissemination. In the case of at least one journalist murdered in Mexico apparently by a drug cartel, the Guardian suggests that the intercept tool could have been delivered to the cartel by corrupt law enforcement officials who had access to it in the course of their duties.

Haaretz observes that this seems unlikely to deflect criticism of NSO Group, which for some time has been widely criticized for its selection of customers. Letters from Novalpina Capital, one of NSO Group’s principal owners, to Amnesty International in 2019 describe how NSO would seek to prevent the abusive use of its tools and ensure compliance with Israeli export laws. Those letters make some of the same points NSO Group is making now—notably that it doesn’t operate its own tools once those are provided to its government customers—but they also acknowledge the general soundness of investigations by Citizen Lab, and undertake to perform due diligence with respect to the company’s sales.

Are you a student or member of the military?

We’re offering a large discount for CyberWire Pro to military members, both active duty and reservists, and to students. What can you do with a Pro subscription? Glad you asked. Many cybersecurity professionals subscribe to and rely on CyberWire Pro to stay up-to-date on developments in the field, and you can enjoy full access to Pro for actionable reporting, analysis and insight concerning the global information security industry. Contact us today to receive your discount, Or to get a personalized tour of CyberWire Pro.

Cyber threats to the Olympic Games.

The Tokyo Olympics are officially underway, with the opening ceremonies held yesterday. The Washington Post takes note of the risk of a disruptive cyberattack on the games, pointing out that the last two Olympics sustained Russian cyberattacks in apparent retaliation for the disqualification of some of that country’s athletes in a doping scandal. 

Last autumn Britain’s National Cyber Security Centre reported finding signs that Russia’s GRU had conducted reconnaissance of the Games’ “organisers, logistics services and sponsors.” Whether such reconnaissance will serve to prepare attacks against the Games, originally scheduled for last year but postponed until now due to the pandemic, remains to be seen.  

The US FBI outlined the nature of the threat in an advisory issued earlier this week. The Bureau said that both criminal and nation-state activity is possible: 

“[C]yber actors who wish to disrupt the event could use distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics. Malicious activity could disrupt multiple functions, including media broadcasting environments, hospitality, transit, ticketing, or security. The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.”

The incident at Saudi Aramco is an extortion attempt.

The motivation for the data theft incident at Saudi Aramco had been obscure, but it’s now become clearer: it’s conventional extortion. Saudi Aramco said, the AP reports, that the data loss incident it sustained has indeed become an extortion attempt. Attackers who obtained company files (apparently through a third-party contractor) are demanding $50 million in exchange for a promise to delete the data. If they’re not paid, they intend to leak the stolen files.

The criminal extortionists, which styles itself ZeroX, has been offering a terabyte of proprietary data stolen from Saudi Aramco. BleepingComputer says the gang claims the data include personal information on 14,254 employees, business documents, and engineering information. Saudi Aramco says ZeroX obtained the data from third-parties via exploitation of an unspecified zero-day. The attack did not involve ransomware, and did not at the time appear to be the extortion play it’s now been revealed to be.

Crime and punishment.

Netherlands police have announced the arrest of a twenty-four-year-old man and a fifteen-year-old boy in connection with the investigation of a group, “the Fraud Family,” that developed phishing kits and sold them via a Telegram channel to criminal customers in Belgium and the Netherlands. The twenty-four-year-old allegedly wrote the code and the fifteen-year-old allegedly sold it. A third suspect, an eighteen-year-old man, was also taken into custody, but his alleged role in the caper is unclear. Group-IB has been tracking the Fraud Family since last year. It’s another instance of the commodification of attack tools, in which criminals purchase relatively capable kits that are easy to use and beyond the end-users’ interest in, or ability to, prepare on their own.

Policies, procurements, and agency equities.

The US has expanded sanctions against some Russian outfits for their activities in cyberspace. The Commerce Department’s Bureau of Industry and Security added six Russian organizations to the Entities List. Placement on the Entities List restricts the named persons’ or organizations’ ability to trade with the US. The revised and expanded Entities List is unlikely to exhaust the retaliatory measures the US will probably take against Russian cyber activity, in particular recent ransomware attacks by Russian gangs.