Strategic insights for leaders from tactical cyber observers.

As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.



Author and journalist Kim Zetter addressed Colonial Pipeline during the keynote session opening the second day of Black Hat USA, saying its leaders had plenty of warning that could have prevented the attack. The high-profile attack that locked up Colonial Pipeline, which distributes 45% of fuel across the US East Coast, forced it to shut down its 5,500 miles of pipeline until it paid over $4.4M in ransom. Zetter suggested there is no reason last year’s ransomware attack should have blindsided the company’s top leaders. She stated that ransomware had been a growing threat, and that months after the attack, the company CEO told lawmakers on Capitol Hill that the company had an emergency response plan, but that plan did not include a ransomware attack – even though ransomware attackers had been targeting critical infrastructure since 2015. Zetter pointed to Critical Infrastructure Ransomware Attacks (CIRA) statistics compiled by Temple University in 2019, just two years before the Colonial Pipeline attack. The researchers counted ~400 ransomware attacks on critical infrastructure in 2020 and 1,246 attacks between November 2013 and July 31, 2022. Further, Zetter noted that in 2020, the year before the Colonial Pipeline attack, Mandiant reported that seven ransomware families had struck organizations that operate industrial control systems since 2017. The attacks created major disruptions and production and delivery delays. Moreover, in 2020, 10 months before the Colonial Pipeline attack, CISA issued a reminder of the DHS’s Pipeline Cybersecurity Initiative. The effort, created by DHS in 2018, was a joint effort of CISA, the Transportation Security Administration (TSA), and various federal and private sector stakeholders. Dark Reading

Analyst Comment: LG analysts observe that enterprises ignore attack surface and risk management basics continuously. This attack occurred due to a failure of enforcing basic computer and network hygiene. Ransomware is no longer a growing threat, it is an established threat, and is going to continue evolving with new tactics and more sophistication. Companies, especially those in areas of critical infrastructure, have to stay alert and diligent to protect their systems, employees, and customers and no longer ignore early warning signs or basic cyber hygiene.

During Q2 of this year, attacks on a remote code execution vulnerability in Microsoft’s MSHTML browser engine, which was patched in September, increased dramatically, according to a Kaspersky analysis. Last quarter, Kaspersky researchers counted at least 4,886 attacks targeting the flaw (CVE-2021-40444), an eightfold increase over Q1 of 2022. The ease with which the vulnerability can be exploited, according to the security vendor, is what keeps adversaries interested in it. The threat actors have exploited the flaw in attacks on organizations in a variety of industries, including energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the attackers used social engineering techniques to trick victims into opening specially crafted Office documents, which then downloaded and executed a malicious script. The flaw was actively being exploited when Microsoft first disclosed it in September 2021. The MSHTML flaw attacks were part of a larger set of exploit activity last quarter that overwhelmingly targeted Microsoft vulnerabilities. Exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms in Q2 of 2022, according to Kaspersky. Dark Reading

Analyst Comment: This stresses how crucial it is that systems are patched and updated so potential vulnerabilities cannot be exploited by attackers. Social engineering tactics are common due to the higher likeliness of human error. Companies should require employees to take security awareness training to educate employees on what to look for and how to help protect themselves and the company.

The Cipher Brief hosted the Cyber Initiatives Group (CIG) Summer Summit on August 17. LookingGlass’ top takeaways:

  • ODNI’s CTIIC (Cyber Threat Intelligence Integration Center) Director Laura Galante noted cryptocurrency as an area to watch. It is not being adopted in the US the way it is in other parts of the world, and it will increasingly be associated with emerging threats. It is also a challenging space to understand as its decentralized concept is relatively new and the IC must adapt.
  • LT General Michael Groen, former Director of the JAIC, spoke about the Chinese Communist Party’s strong organizational skills that they have translated into effective cyber operations. He argued that the US must take the innovative environment that exists between American universities and Silicon Valley to become a highly organized opponent to China.
  • Accenture’s Jim Guinn compared financial services to the water sector. He noted that financial players have global assets they need to protect while water districts are small. Water service providers may serve thousands of residents or hospitals, among other infrastructure. And these small districts may be served by small groups of people that don’t have strong cyber understanding. He also said that regulation is not the answer as it creates a culture of “bare minimums” that maintains a low barrier for threat actors to hurdle. It should be more about collaboration and independence.
  • A panel with David Sanger, Microsoft’s Kelly Bissel, and Recorded Future’s Stuart Solomon concluded that technological decoupling with China is continuing to increase.
  • On Ukraine, Sue Gordon, former PDDNI, said the conflict demonstrates the role information warfare plays in today’s wars. And the IC is finding a balance between protecting and sharing intelligence. She said we are seeing a trend where protecting intelligence historically dominated but sharing intelligence really started when the IC publicly released intelligence about Russian intervention in the 2016 election. And publicly sharing intelligence about the Russian invasion of Ukraine was critical. This transparency will likely remain a trend.
  • Dmitri Alperovich assessed Taiwan’s window of maximum vulnerability to Chinese threats is 5-10 years out; not in the next year or two. And Taiwan is not adequately equipped with weapons and systems to defend against a Chinese invasion. He also noted that China has not mastered semiconductor technology and still has to leverage western expertise – this is where the US has leverage. And we should not allow Xi’s strategic mission to become semiconductor dependent. He also said the US needs to reduce reliance on China and Taiwan; the recent CHIPS Act is only a drop in the bucket.

According to Chris Krebs, former CISA director, the public and private sectors need to be vigilant about geopolitical tensions, digital transformation, and increasing cyber-offensive capabilities from adversaries to avoid falling behind. In the last six months, there has been an unprecedented collision between geopolitical risks and technology risks — and this will only continue, according to Krebs. In addition to the ongoing war in Ukraine, it is important to watch Taiwan. Krebs emphasized that leaders need to plan three to four years into the future and companies should be conducting simulation scenarios, impact assessments, and tabletop exercises at the executive level around what’s happening in the Taiwan Strait. A Chinese invasion of Taiwan has the potential to impact organizations affecting the technology supply chain, competition and markets, and IT operations. Krebs also noted that as the COVID-19 pandemic drove an acceleration to the cloud and digital transformation, it became clear that the benefits of insecure products outweigh the downsides. Businesses are focused on productivity and reducing friction, and security tends to slow things down. The result is that companies are building more insecure products due to marketplace pressures. Meanwhile, as the ongoing mass migration to the cloud is being done to increase flexibility, elasticity, productivity, and efficiency, there has been a reduction in firms’ ability to see what’s happening across their infrastructure. Cybercriminals understand these shifts in business architecture, along with the dependencies and the trust connections housed within the relationships between software services and technology providers; this, he warned, will continue to foment more attacks against the supply chain and managed service providers. Dark Reading

Analyst Comment: LookingGlass analysts are actively monitoring underground cyber activities associated with heightened geopolitical tensions such as the war in Ukraine and the Taiwan Strait. As a previous report mentioned, LGC noticed an uptick in the selling and purchasing Taiwan data on underground forums and marketplaces since July 28, 2022, a week before US House Speaker Pelosi’s visit to Taiwan. LGC also observed similar trends from August 1 to August 15, 2021, when tensions between US and China escalated due to the US arms sale to Taiwan. These events highlight how cyber operations have become part of regional conflict and power competition.

Back to the top


Cybersecurity firms Trend Micro and SEKOIA have identified a new malware campaign from Iron Tiger. The China-linked cyberespionage group is targeting Windows, Linux, macOS, and iOS users through trojanized versions of MiMi chat app installers. The primary targets of this campaign were in Taiwan and the Philippines. Trend Micro could identify one of the victims, a Taiwan-based gaming development firm, while overall, thirteen entities were targeted. The group previously launched politically motivated, profiteering, and intelligence-gathering-driven cyberespionage campaigns. For instance, in June 2018, Iron Tiger APT was caught targeting a national data center of an unknown Central Asian country using a watering hole attack. The group’s latest campaign was identified in June after Trend Micro researchers downloaded infected versions of MiMi’s iOS version. In this campaign, Iron Tiger’s modus operandi involves compromising the MiMi Chat app servers to infect unsuspecting users’ devices. According to SEKOIA, the campaign has all the elements of a supply chain attack since the app’s backend servers that host MiMi’s legitimate installers are controlled by the attackers. The modified MiMi installers download an in-memory, custom backdoor called HyperBro on the targeted device. Hack Read

Analyst Comment: Iron Tiger is known for targeting the gambling, governments, telecommunication, and energy sectors in South East Asia in early 2010 but has been observed attacking high-tech targets in the US since 2013. MiMi Chat is not a popular application for day-to-day use in mainland China, and its name, MiMi, has been adopted by multiple chat applications; most of these chat applications are available from Google Play, App Stores, and various third-party websites, providing services ranging from regular messaging to online dating, and possible pornographic content. It is worth investigating the true motives for Iron Tiger’s operations as the China-linked APT group could be working with law enforcement to crack down on the gambling and pornography industries.

Additionally, researchers indicated that running the DMG installer on a macOS system would prompt several warnings before the backdoored app is installed. Both the legitimate and the backdoored versions of the installer were unsigned. LGC analysts have observed actors selling application signature services on underground forums, telegram channels, and Clearnet. Iron Tiger’s recent activity is an example of cross-platform attack through app targeting.

Microsoft released new information on Monday, August 15, about a suspected Russian hacking group that has been conducting cyberespionage attacks against government organizations, think tanks, and defense contractors in NATO countries since at least 2017. Microsoft’s Threat Intelligence Center (MSTIC) also said it has “taken actions to disrupt campaigns” launched by the group, which they call SEABORGIUM but is also referred to as Callisto, COLDRIVER and TA446 by other security researchers. The group has been highly active this year, with researchers at Microsoft observing campaigns targeting over 30 organizations “in addition to personal accounts of people of interest.” Microsoft was able to independently link SEABORGIUM to the campaign, adding that the group was also behind a May 2021 information operation that involved documents allegedly stolen from an unnamed UK political organization. Microsoft said the group conducts extensive reconnaissance of its targets before launching a hacking campaign, and creates various accounts and social media profiles to identify people “in the targets’ distant social network or sphere of influence.” Fraudulent profiles on LinkedIn — which is owned by Microsoft — were created by the group to spy on employees from specific organizations of interest, according to the researchers. Once the group has conducted its reconnaissance and created accounts to be used in phishing attacks, it generally emails the target with a “benign” message “typically exchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target.” Although there are several ways that the group gains access to a target’s infrastructure, the simplest variation involves a URL that directs the target to a server hosting EvilGinx or another phishing framework. The framework mirrors the sign-in page of a legitimate service, and harvests credentials that the target enters. The Record

Shuckworm, a cyber group linked to Russia, is still targeting Ukrainian organizations with information-stealing malware. According to Symantec’s Threat Hunter Team, which is part of Broadcom Software, much of the current activity is a continuation of attacks reported by Ukraine’s Computer Emergency Response Team (CERT-UA) in July. Shuckworm (also known as Gamaredon and Armageddon) is an eight-year-old cybercrime group that focuses almost entirely on Ukraine, according to Symantec. The analysts stated that Shuckworm used self-extracting 7-Zip files, which were downloaded via email. The binaries in the 7-Zip files subsequently downloaded mshta.exe, an XML file, which was likely masquerading as a HTML application, from the domain a0698649[.]xsph[.]ru. It has been publicly documented since May 2022 that subdomains of xsph[.]ru are associated with Shuckworm activity. This domain was used in a phishing attack spoofing the Security Service of Ukraine with “Intelligence Bulletin” in the subject line, according to CERT-UA. Shuckworm is also using the Giddome backdoor, a well-known espionage tool. Some of these Giddome variants could have come from VCD, H264, or ASC files. VCD files, like.ISO files, are images of a CD or DVD that Windows recognizes as an actual disc. The attackers also used the legitimate remote desktop protocol tools Ammyy Admin and AnyDesk for remote access, which is a common tactic used by cyber gangs, according to Symantec. TechRepublic

Back to the top


A hacktivist group claims to have hacked mining and oil companies, as well as government agencies in Central and South America to “sabotage” western companies and corporations that exploit the region’s natural resources. The group published thousands of emails from the hacking victims through the group Distributed Denial of Secrets and Enlace Hacktivista, a site that has the goal of documenting hacker history and publishing “educational resources for hackers.” The hackers stated they spent little time and effort – they just had to download the emails; they remarked that their previous hack against Pronico, a mining company in Guatemala, took them more than six months. The hacktivist group published a manifesto in Spanish in which they decry how countries such as the United States, and western corporations, have taken advantage of the natural resources of Central America, which the group refers to as Abya Yala, the original indigenous name of the region between northern Colombia and Panama. It’s unclear if the breaches had any other effect than the theft and leak of internal emails.

Analyst Comment: This group is called Guacamaya which is the Mayan name for macaw parrot. Guacamaya shared a video demonstrating how they hacked Pronico and encouraged others to hack and leak data as well. Phineas Fisher, a hacktivist, is a source for their inspiration and the group has mimicked their style. LGC has been tracking these leaks from DDoSecrets and will continue to monitor.


Ransomware groups have increased their targeting of countries in Latin America, Asia, Africa, and Oceania, according to a report released by the British think tank RUSI (the Royal United Services Institute). Ransomware groups shifted their targeting over the last year in response to actions by US and European law enforcement agencies in the aftermath of a string of high-profile attacks that appear to have crossed a line and reached a point where the ransomware problem needed to be addressed, according to RUSI analysts. Arrests of ransomware affiliates and their money laundering partners, seizure of cryptocurrency funds linked to previous ransom payments, financial sanctions against cryptocurrency platforms that aided money laundering operations, and the formation of special task forces to target these groups were all part of this effort. RUSI is not alone in reaching this conclusion; other ransomware experts have been observing this trend since last year, when, following operations orchestrated by US CyberCom and the FBI, ransomware groups appear to have (quietly) decided to stop focusing on major US targets and gradually shift to new hunting grounds. Furthermore, RUSI analysts note that the focus on Global South countries may be intentional and related to the current political climate, in which payments to Russian cybercrime gangs may be subject to economic sanctions in North America and the EU, sanctions that are now difficult to interpret even for the largest legal teams, owing to the complications that have arisen as a result of Russia’s invasion of Ukraine. Risky Biz

Cisco has confirmed a breach of its network, which resulted in cyberattackers gaining access to the company’s virtual private network (VPN) and the theft of an unspecified number of files from its network, the company stated on August 10. The attacker compromised a Cisco employee’s personal Google account, which gave them access to the worker’s business credentials through the synchronized password store in Google Chrome. To bypass the MFA protecting access to Cisco’s corporate VPN, the attacker attempted voice phishing and repeatedly pushed MFA authentication requests to the employee’s phone. Eventually the worker inadvertently accepted the push request, giving the attacker access to Cisco’s network. With access established, the attacker then tried to move through the network by escalating privileges and logging into multiple systems. The threat actor also installed several tools, such as remote access software LogMeIn and TeamViewer, as well as offensive security tools, such as Cobalt Strike and Mimikatz, both in wide use by attackers. Cisco believes the threat actor is an initial access broker — an adversary that gains unauthorized access to corporate networks and then sells that access as a service on the Dark Web. The threat actor appears to have “ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators,” Cisco’s Talos group stated. Dark Reading

Analyst Comment: Yanluowang claimed responsibility for this breach as Cisco was listed on their data leak site on August 10, 2022. Organizations have moved from a more perimeter-centric security approach to an identity-driven model. Employees continue to increase their digital footprint in cyberspace without understanding the associated risks. The recent Cisco breach shows that multi-factor authentication (MFA) may not be secure as humans are the weakest link in cybersecurity. A recent research from Mesh Security also indicated that MFA tools could be bypassed if actors manage to steal the cookies of an authenticated user and hijack their sessions.

Cybercriminals are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to a new analysis by Accenture Cyber Threat Intelligence. The ACTI team analyzed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found. Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicize the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. And data thieves are making it easier for their customers to find and access the stolen information. The dedicated leak sites are increasingly available on publicly accessible sites, not hidden away on Tor domains, and some offer searchable indexed data to make it easier for threat actors to find what they need for their attacks. For example, the operators of the data-selling marketplace Industrial Spy organize and name folders with labels that reflect their content to make finding specific files easy, according to ACTI. Customers can use the marketplace’s search functionality to find specific files, such as employee data, invoices, scans, contracts, legal documents, and email messages. Dark Reading

Analyst Comment: This is similar to ransomware data leak sites such as Alphv and Lockbit 3.0 who have recently introduced searchable functions and packaged victim data for users. It is very common to see the double extortion technique where ransomware affiliates will turn around and resell the data after the victim company has paid. It is also common to observe the same company across multiple sites which suggests an overlap in ransomware affiliates working for multiple groups. LGC has observed several victims’ names posted on Industrial Spy’s site that were previously claimed as victims on various ransomware data leak sites. It is possible that Industrial Spy operators are downloading data from these sites after it becomes publicly available and then resharing under their free section to make it more accessible for users or reselling it under one of their general or premium sections.

The sharp decline in cryptocurrency value has dampened activity around specific types of financial crimes, most notably investment scams and illegal Dark Web transactions, resulting in a decrease in consumer losses in the first half of 2022, according to Chainalysis. Total revenue collected by scammers fell by 65% — in the first seven months of the year. The drop is only partly due to a drop in the value of major cryptocurrencies. Bitcoin, for example, lost 51% of its value between January 1 and July 31, and that still does not account for the total drop. The number of deposits associated with scams has also decreased by more than 66%, indicating that fewer consumers are falling victim to such efforts. According to Chainalysis’ midyear update, cryptocurrency is the financial backbone of most online crimes, so the drop in cryptocurrency has impacted other major cybercrimes such as money laundering and ransomware. According to cybersecurity firms, both have dropped by 20% to 25% since the beginning of the year. However, the volatility has had less of an impact on crimes that do not rely on enticing victims with cryptocurrency. According to the FBI’s Internet Crime Complaint Center (IC3), business e-mail compromise (BEC) still accounted for 35% of monetary losses in 2021, compared to 0.7% for ransomware. Dark Reading

Back to the top


Dark web intelligence firm Cyble reported an increase in cyberattacks targeting virtual network computing (VNC). The VNC graphical desktop-sharing system relies on the Remote Frame Buffer (RFB) protocol to provide control of a remote machine over a network. Exposing VNC to the internet has long been deemed a security risk, yet Cyble has identified over 8k internet-accessible VNC instances that have authentication disabled. Cyble also warns of a spike in attacks targeting port 5900, the default port for VNC, noting that the Netherlands, Russia, and Ukraine have emerged as the top attacking countries. Most of the exposed VNC instances, according to the threat intelligence firm, are located in China, Sweden, the US, Spain, and Brazil. Some of the exposed VNCs belong to organizations in critical infrastructure sectors, including water treatment plants, manufacturers, and research facilities. Cyble says it was able to identify multiple human-machine interface (HMI) systems, SCADA systems, and workstations that are connected via VNC and internet-accessible. Attackers able to compromise such systems may tamper with predefined settings, shut down industrial control systems (ICS), disrupt the supply chain and processes in the affected industries, or access sensitive data that can be used to further compromise ICS systems. Exposing VNCs to the internet, Cyble notes, increases the likelihood of a cyberattack, including ransomware, data theft, and cyberespionage, all of which are typically preceded by an initial network compromise. Security Week


On Tuesday, August 16, Ukraine’s state nuclear power company Energoatom said Russian hackers had launched an “unprecedented” cyberattack on the company’s official website. People’s Cyber Army, a Russian hacktivist group with over 8.2k volunteer members, used 7.25M bot accounts to flood Energoatom’s website with junk traffic, rendering it unreachable. The three-hour attack had no significant impact on the company’s operations. According to Energoatom, it was able to quickly regain control of the website and limit the attack. The People’s Cyber Army boasted about the Telegram attack late on Tuesday before moving on to other targets, including the websites of Ukrainian steelmaker Dneprospetsstal and the government-run Ukrainian Institute of National Memory. As of Wednesday morning, both websites were still operational. People’s Cyber Army, based in Russia, is similar to the Ukrainian hacktivist group IT Army, which has over 235k Telegram followers. Both groups conduct distributed denial-of-service attacks on “enemy” websites, fueling Russia and Ukraine’s cyber war. Most of these attacks have no long-term impact, but they can temporarily disrupt businesses and their customers, who have previously been unable to buy train tickets, order food delivery, or watch a movie online while the DDoS attack is in progress. Although the attack had no long-term impact on Energoatom, cybersecurity experts say it is still worth monitoring. The Record

Back to the top


On Monday, August 15, South Staffordshire PLC, the water supplier to approximately 1.6M people in the South Staffordshire and Cambridge regions of the UK, announced a cyberattack. The company stated the incident did not affect its ability to supply safe water and focused solely on their corporate IT network. The announcement came hours after cybersecurity experts expressed confusion and concerns about comments made by the Cl0p ransomware group. The prolific ransomware gang claimed on its leak site that it attacked Thames Water — another water provider in the UK. Many of the documents are tied to South Staffordshire PLC or are about residents of South Staffordshire. The leaks included UK passports, driver’s licenses, credentials and screenshots of systems within South Staffordshire’s operational network. Cl0p included a lengthy note alongside the stolen files. Even though they apparently named the wrong company in their post, the group claimed to have been in contact with a negotiator. Cl0p claimed that they “spent months” in the company’s system and saw “first hand evidence” of bad security practices. Despite attacking the water authority, the group said it does not attack critical infrastructure and decided against encrypting the company’s systems. The Record

Analyst Comment: Cyber threats across critical infrastructure sectors have increased in recent years. Cyber intrusions targeting US Water and Wastewater systems (WWS) highlight various vulnerabilities associated with the sector such as insider threats, Remote Desktop Protocol (RDP), spear phishing, and exploitation of unsupported or outdated operating systems and software.


According to the Office of the Comptroller of the Currency (OCC), banks must collaborate through public and private partnerships to mitigate cybersecurity risk. During a speech this month at a joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council, Michael J. Hsu, acting comptroller of the currency, said cyber-attacks against financial institutions and their service providers have increased and evolved in recent years. Disruption to financial services can affect banks’ ability to deliver critical services to their customers and has the potential to impact the broader economy. Hsu suggested banks must assess how a cyber incident would impact their institution as well as the disruption it could cause to the broader financial system. Most cyber-attacks are financially motivated, but Russia’s invasion of Ukraine has highlighted how geopolitical tensions can further increase cyber risks to the financial sector. As these attacks were not financially motivated, they could not be mitigated by a ransom payment or insurance coverage prompting Hsu to call on the industry to improve its collective defenses. Banking Exchange

Back to the top


A database allegedly containing the personal information of 48.5M citizens based on Shanghai’s health code system has been put up for sale online, according to a post on a hacker community website. A poster using the handle XJP asked for $4k to hand over a database based on Shanghai’s health code system containing the personal information of 48.5M unique users who “live in, or have visited, Shanghai” since the QR code system’s implementation. The poster also released a sample of the database, which included 47 citizens’ names, phone numbers, ID numbers, and health code status. One of those whose data appeared on the list, a citizen named Feng, confirmed the accuracy of his own information. Shanghai’s health code is a QR code program developed in early 2020 by the Shanghai Big Data Center to assist local authorities in managing the Covid-19 outbreak. It categorizes a citizen’s risk of spreading the virus by labeling them with one of three QR code colors: red, yellow, or green. It is now a required digital tool in the daily lives of Shanghai residents, who must present a green code before using public transportation or entering public venues. The alleged leak, which comes just a month after what could be the country’s largest data leak, has raised concerns about the security of private information in China, where the government has collected vast amounts of data from its citizens for social surveillance and governance purposes. SCMP

Healthcare is now the number one target of continuous, concerted cybersecurity threats, with critical healthcare systems constantly under attack. According to data from the US Department of Health and Human Services, the number of healthcare breaches in the first half of this year is nearly double that of the same period last year. And the average cost of a healthcare data breach has risen to $10M, making it the most expensive industry for breach costs. Three factors indicate why healthcare systems are at most risk, according to a healthcare industry expert:

  1. The breadth and depth of data held in patient records.
  2. The potential for impact on complex interconnected IT infrastructures and service delivery.
  3. The reputational damage caused by a successful breach.

All of this makes healthcare systems an ideal target for ransomware. Global ransomware attacks on the healthcare sector surged by 94% in 2021, so it is imperative that industry executives and stakeholders understand the fundamentals, according to experts. Forbes

Novant Health, a US healthcare provider, is warning patients about a potential data breach caused by an incorrect configuration of an online tracking tool from Facebook’s parent company. Novant, which operates more than 50 healthcare facilities throughout North Carolina, stated that a snippet of JavaScript code was placed on its website as part of a promotional campaign during the early stages of the coronavirus pandemic. The code was for Meta Pixel, a digital tracking tool that organizations can use to determine the success of Facebook marketing campaigns. The tracking pixel in question, however, was “incorrectly configured and may have allowed certain private information to be transmitted to Meta” from the Novant Health website and patient portal, according to the company. Novant Health stated in a recent privacy statement that it removed the pixel as soon as it discovered that it could transmit data to Meta. Following further investigation, the healthcare provider stated that the leaked data could include an email address, phone number, computer IP address, and healthcare appointment information, depending on a user’s activity on the Novant Health website and MyChart portal. PortSwigger

Back to the top



During an open hearing on spyware held last week, House Intelligence Committee chair Rep. Adam Schiff expressed two separate concerns about the commercial spyware industry. The first is that proliferation allows the targeting of governments themselves with sophisticated spyware, and the second is that commercial spyware is used by authoritarian governments to facilitate oppression and human rights abuses such as the targeting of journalists and activists. The number one priority for some governments is to stay in power, which is what many governments use spyware for. All states have legitimate national security needs where advanced spyware could be of use, but relatively few states have the mature governance structures like an independent judiciary with robust oversight that prevent these tools from being abused by those in power. Even amongst EU member states, for example, the use of spyware to target politicians for domestic political gain is not uncommon. Last week, Nikos Androulakis, the president of Greece’s second-largest opposition party PASOK and a member of the EU Parliament, claimed his device had been compromised by Predator spyware. This comes in addition to previous news about the targeting of Catalan activists in Spain and journalists in Hungary. These incidents all look to be domestic targeting for political purposes rather than targeting for legitimate national security reasons. Pressing countries like Hungary and Spain to pass new laws limiting the use of spyware may have limited effect – governments oppressing their citizens to suppress dissent won’t behave well the moment they create new laws. Encouraging countries to pass effective laws is a worthwhile goal, yet it’s a long-term project. Aside from domestic regulation, using traditional export control mechanisms to rein in spyware proliferation will be difficult, as there is no technical basis for defining ‘good’ exports vs ‘bad’ exports. The same spyware used to target terrorists and organized crime syndicates can also be used against political opponents and human rights advocates. According to Seriously Risky Business, export control regulations and new legislation that tackles the supply and use of surveillance technology are both worthwhile but will take time to have the desired effect. Risky Biz

According to US National Cyber Director Chris Inglis, the US needs to replicate the cyber defense tactics used in Ukraine by residents, government agencies, and companies going forward. At the DEF CON hacking conference in Las Vegas last week, Inglis spoke about how the thinking around cybersecurity and defense needs to change, from both the perspective of regular end users as well as the companies developing critical platforms. The Colonial Pipeline ransomware attack, he said, was emblematic of how things need to change, considering the cyber hygiene of one person affected the confidence of millions of gas customers across the East Coast. Inglis lauded Ukraine for collectivizing cyber defense in a way few countries have done before. Like many experts, he thought the massive power difference between Russia and Ukraine from a cyber offensive standpoint meant Ukraine would have a hard time defending itself. “We didn’t give enough credit to the Ukrainians,” he said, explaining that the country’s government did extensive preparatory work building out a system of resilience and robustness that was buoyed by a larger cybersecurity awareness among the country’s residents. According to Inglis, the other main tranche of cyber defense that broke in Ukraine’s favor was the decision of major tech providers to step up cybersecurity efforts significantly. Companies like Microsoft, ESET, and Cisco took the innovative step of viewing their terms of service as an obligation to defend customers in Ukraine. Inglis noted this kind of defense from corporate technology providers should be what is required of companies providing hardware and software. Separately, he noted that more needs to be done in teaching children and young adults the kind of cyber hygiene that will be needed moving forward. The Record

Ohio is forming a volunteer IT army to combat election hacking as the state turns to private-sector professionals to defend voting systems from cyberattacks. The Ohio Cyber Reserve, formed just before the pandemic, has 80 members who can be called up under the command of Major General John Harris of the National Guard. According to organizers, the program already has state funding to expand to 200 people and could eventually grow to 500. The majority of members take time off from work to fulfill their reserve duties and receive travel reimbursement for training. The idea that unpaid militia members could help with election security demonstrates how much pressure local officials are under, according to an analyst. There are 88 county election boards in Ohio alone, and 1,603 local election officials in Michigan. In a political landscape riven by disagreements over real and imagined threats to the ballot box, Ohio’s electronic militia is a rare point of bipartisan agreement. Even as some Republican leaders in states and Congress focus on former President Donald Trump’s baseless claims about 2020 election fraud, the country’s election systems face real challenges. Officials in cyber security say the outcome of a vote has never been compromised, but the threat of digital tampering looms large. Although new US guidelines advise against enabling wireless connectivity and connecting voting and tabulation machines to the internet, cybersecurity experts say those machines could still be “hackable” via sophisticated attacks or specialized malware. Online voter registration databases and other aspects of voting are more vulnerable and have previously been breached. Bloomberg

Back to the top


The Chinese government appears to be using software vulnerability disclosure rules to preview potentially dangerous zero-day vulnerabilities prior to the deployment of patches by tech firms, according to a top DHS official. Beijing’s strict vulnerability reporting rules mean government officials could get “early access” to even the most serious vulnerabilities, DHS Under Secretary for Policy Robert Silvers said during the Black Hat cybersecurity conference in Las Vegas. If the Chinese government analyzes zero-days, or previously unknown software flaws, before affected companies can deploy a fix, Beijing may gain an advantage when conducting cyberattacks against the United States or other digital adversaries. Silvers stated that a DHS review board convened to look into the recent Log4j software vulnerability, which was discovered by the Chinese tech giant Alibaba, concluded its investigation with “very troubling” questions about Chinese disclosure rules. Silvers was speaking about the findings of the DHS Cyber Safety Review Board, a group of 15 top public and private sector cybersecurity experts whose inaugural investigation into the Log4j vulnerability wrapped last month. He stated that board members are concerned by Chinese news reports that Alibaba was punished for publicly disclosing the vulnerability before alerting the Chinese government. CyberScoop

Back to the top


China has censored DXY, the country’s leading health information platform, where it has over 80M followers, for debunking Covid-19 misinformation and criticizing the government’s promotion of traditional medicine as a treatment. Regulators blocked platform Dingxiang Yuan’s (DXY) ability to post articles to accounts on popular social media apps including Twitter-like Weibo, WeChat and TikTok’s Chinese equivalent Douyin from this week, according to a source briefed on the matter. The accounts will not be unfrozen without official approval, the source added. Weibo said the suspension was due to a “violation of related laws and regulations,” without elaborating. WeChat and Douyin did not state why the accounts were suspended. Local media reported that the suspensions would last 30 days. China’s army of online censors has been working to scrub any criticism directed at President Xi Jinping’s signature zero-COVID policy, which relies on mass testing and lockdowns to curb virus outbreaks. MIT Technology Review Nikkei Asia

Record fines are expected to be levied against the world’s largest investment banks in the coming months, reflecting years of frustration among US regulators that their investigations were hampered by unmonitored messaging among bankers. Investigators at the Securities and Exchange Commission and Commodity Futures Trading Commission were repeatedly hindered by firms not archiving communications as required, according to people familiar with the matter. The government regulators were concerned that messages on bankers’ personal phones about cutting deals, trading, and courting clients were being completely lost, making it difficult to look for wrongdoing in the future. At the SEC, separate probes revealed a troubling dynamic: key conversations across finance were happening beyond the government’s reach, according to one of the people. At the CFTC, similar concerns grew as officials probed whether banks were manipulating the interest rates swaps market and they found that many communications were happening outside of official channels, people said. The scrutiny intensified at the SEC after Chair Gary Gensler took over in April 2021. After investigating JPMorgan Chase over the lapses, the regulator opened an industrywide sweep across Wall Street to figure out how many business-related communications were missing. The crackdown is now expected to result in about 10 banks paying fines totaling around $2B, with lenders from Goldman Sachs to Barclays saying they expect comparable penalties to JPMorgan, which announced in December it would pay $200M in penalties to the SEC and CFTC. Bloomberg

Back to the top

Get the Cyber Monitor in Your Inbox