Strategic insights for leaders from tactical cyber observers.

As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.

TABLE OF CONTENTS

EDITOR’S HIGHLIGHTS

Multiple government agencies in Taiwan experienced cyber attacks before and after US House Speaker Nancy Pelosi’s visit. Before her arrival, two government websites suffered outages that were likely caused by Chinese activist hackers rather than the Chinese government, according to cybersecurity research organization, SANS Technology Institute. The presidential office’s website was targeted by a distributed denial of service (DDoS) attack on Tuesday and was briefly down, according to a statement from the office. access to the website was restored within about 20 minutes of the attack. A spokesperson later added that Taiwanese government agencies were monitoring the situation in the face of “information warfare.” Additionally, a government portal website and Taiwan’s foreign ministry website were also temporarily unavailable. In a statement, the foreign ministry said both websites had been hit with up to 8.5M traffic requests a minute from a “large number of IPs from China, Russia and other places.” “These are uncoordinated, random, moral-less attacks against websites that Chinese hacktivists use to get their message across,” said Johannes Ullrich, Dean of Research at the SANS. Hundreds of thousands of IP addresses associated with devices registered in Chinese commercial internet space were responsible for the disruptive digital campaign, according to Ullrich. A similar cohort of Chinese IP addresses had been scanning the internet for low level, easily exploitable vulnerabilities since last week, and did not match the usual activity carried out by Chinese government hackers, he added. After her departure, a third government agency – the Ministry of Defense said it suffered cyber attacks on Thursday August 3. Reuters1, Reuters 2

Analyst Comment: Many were surprised by China’s quiet response to Nancy Pelosi’s visit to Taiwan. In addition to a few small cyber events, China conducted live fire military drills surrounding the island – in Taiwan’s territorial waters in some cases – during her visit where they also fired multiple missiles. We observed reporting leading up to her visit that Taiwan was preparing for mass casualties. LookingGlass analysts assess China was waiting for her departure to conduct any activities. It is also possible Xi – the long-game strategic thinker that he is – has internal reasons to hold off on a full-scale invasion of Taiwan. We expect Taiwan to remain on high alert in the coming days and weeks. We also cannot rule out that some cyber activities or preparations could be taking place but remain undetected at the time of this report.

A threat actor with the moniker Adrastea – that defines itself as a group of independent cybersecurity specialists and researchers – claims to have hacked multinational missile manufacturer, MBDA. MBDA is a European multinational developer and manufacturer of missiles that resulted from the merger of the main French, British, and Italian missile systems companies (Aérospatiale–Matra, BAE Systems, and Finmeccanica (now Leonardo). Adrastea claimed to have found critical vulnerabilities in the company infrastructure and stolen 60 GB of confidential data. The attackers said that the stolen data includes information about the employees of the company involved in military projects, commercial activities, contract agreements, and correspondence with other companies. As proof of the hack, Adrastea shared a link to a password-protected archive containing internal documents related to projects and correspondence. It is not clear if the threat actors breached only one of the national divisions of the company.

1.mbda Nato Has Been Hacked
Security Affairs

Analyst Comment: LookingGlass observed a similar thread on Russian language forum Exploit. There are multiple ways threat actors validate their claims – in this case the actor included a data sample. This sample appeared to include diagrams of missile systems and Italian Ministry of Defense correspondence dated 2018. However, this data could have been collected from previous leaks and from publicly available sources. Adrastea is a newly registered username on both Breached and Exploit forums that lacks reputation (upvotes by forum users) or a deposit that can also be used to validate their claims. As of August 1, 2022 MBDA published a press release denying the claim that they had been hacked. This suggests that Andrastea claims are false; however, LookingGlass continues to monitor.    

Confluence server owners are advised to update their installations in response to an active exploitation attempt of a vulnerability the company patched in one of its most popular products. According to Atlassian, the vulnerability (CVE-2022-26138) is a hardcoded password in the company’s app Questions for Confluence. While Atlassian released a patch that disables this built-in hardcoded account on July 20, Confluence server owners did not have adequate time to install fixes, as the username and credentials for this account were published on Twitter a day later by an “annoyed researcher.” Shortly after, cybersecurity firms Greynoise and Rapid7 reported ongoing exploitation of this vulnerability less than a week after the patch was released. Since Confluence on-premise servers are broadly used in corporate and government environments, CISA has also urged Confluence server owners to see if the vulnerable app had been installed on their servers and then install the patches. Atlassian warned that disabling the app won’t fix the issue, and server owners must either install the security fixes or manually disable the hardcoded account created by the Questions for Confluence app. Risky Biz

Back to the top

NATION STATE ACTIVITY

Over the past year, North Korean APT actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports. Active since at least 2012 and tracked as Black Banshee, Thallium, SharpTongue, and Velvet Chollima, Kimsuky is known for the targeting of entities in South Korea, but also some located in Europe and the US. For over a year, Volexity has observed the adversary using a malicious browser extension for Google Chrome, Microsoft Edge, and Naver Whale – a Chrome-based browser used in South Korea – to steal data directly from the victims’ email accounts. Dubbed Sharpext, the extension supports the theft of data from both Gmail and AOL webmail, is actively developed, and has been used in targeted attacks on various individuals, including ones in the foreign policy and nuclear sectors. According to Volexity, the attacker stole thousands of emails from multiple victims through the malware’s deployment. Volexity noted that “by stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email ‘account activity’ status page, were they to review it.” Security Week

Analyst Comment: The cybersecurity community has long assessed that Kimsuky is a key intelligence gathering asset for the North Korean government with emphasis on strategic targets. Their vectors often include personnel associated with non-governmental organizations, think tanks, and other institutions that present as softer targets. Kimsuky has previously deployed malicious browser extensions to cull credentials from target demographics. In contrast, Sharpext allows the actor to bypass 2 factor authentication and detection by the email provider en route to collecting content from the victim’s email account(s). Kimsuky is adept at the inclusion of phishing and malicious extensions in their targeting cycle and will likely continue to hone their techniques going forward.

HACKTIVISM

Hackers claimed last week to have stolen a massive data cache from the Russian Postal Service. Over 10M data points about previous shipments are included in the data set. This includes the names, addresses, and shipping information of both the sender and the recipient. In a statement to local media, the Russian Postal Service denied the breach, claiming that the hackers obtained the data from a third-party contractor. Russian delivery services have been at the center of several data leaks since Russia’s invasion of Ukraine. Risky Biz

Analyst Comment: The logistics industry, including postal and delivery services, has been targeted by hacktivists since early stages of the Russian invasion of Ukraine, with victims including CDEK, Yandex Food, and now allegedly Russian Postal Service, and Ukrposhta (Ukrainian Postal Service). Similar to the transportation industry, hacktivists’ motivation to target logistics may be an attempt to compromise the supply chain. Some of the attacks, including CDEK and Yandex Food leaks have also been a source of PII of Russian military members, reportedly including people who work for one of Russia’s intelligence services GRU, as well as journalists supporting the attack on Ukraine.

Russian hackers have launched “a new type of attack” on Lockheed Martin, which manufactures the M142 High Mobility Artillery Rocket System (HIMARS) that the US has supplied to Ukraine, according to a pro-Moscow news website. The cyberattack by the Killnet and Killmilk hacker groups occurred at 7 a.m. on Monday, August 1. The groups claimed that the rocket systems, which the Ukrainians credit with tipping the balance of the war against Russia, were responsible for thousands of deaths. The hackers stated that Lockheed Martin “is the actual sponsor of world terrorism, is responsible” for thousands of deaths. On July 28, a Russian military expert claimed on state television that Russia had developed a “secret development” that allows it to hack into HIMARS systems. On July 22, members of Killnet stated: “We are using a new type of attack, we have no equal in this area. This is a new technology that we are using for the first time against the world’s largest arms manufacturer—Lockheed Martin,” the Kremlin-supporting Life website reported at the time. MSN

Analyst Comment: Killmilk is the founder of KillNet who claims to have decided to leave the KillNet group to focus on more high-profile attacks. The first company Killmilk claims to target is Lockheed Martin. This is not the first time Lockheed Martin was mentioned by pro-Russian hacktivists during the war in Ukraine. Hacktivists are motivated by the fact that weapons produced by the company are used to help Ukraine defend itself against the Russian attack. Killmilk and a group known as FRwL (From Russia with Love) has also published some data allegedly stolen from manufacturing company Gorilla Circuits in connection with the recent attempts to target Lockheed Martin. However, the data provided may not be valid, or be a part of an earlier breach (Gorilla Circuits experienced a security incident in late 2021). It is likely that hacktivists will continue to claim to target US-based defense contractors to dissuade the US from providing aid to Ukraine.

Cybercriminals are increasingly using their own management tools against managed service providers (MSPs), making them more vulnerable to supply chain attacks in 2022, according to the Acronis Cyberthreats Report 2022. The Kaseya VSA ransomware attack this year is an example of how a cyberattack on an MSP can severely disrupt its customers’ supply chains. A successful attack on an MSP has the potential to cripple hundreds or thousands of small and medium-sized businesses. As seen in the SolarWinds breach last year, attackers gain access to both their business and their clients. According to the report, only 20% of companies reported not being attacked in the second half of 2021, compared to 32% last year, indicating that attacks are becoming more common across the board. The following are highlights from the report for the second half of 2021:

Back to the top

CYBERCRIME

  • Malware targeted the US, Germany, and Canada the most in Q3 of 2021.
  • Acronis blocked 376,000 URLs on the endpoint in October alone.
  • Between Q2 and Q3, 2021, blocked phishing emails increased by 23% and blocked malware emails increased by 40%.
  • The cost of ransomware was expected to exceed $20B by the end of 2021.

TechHQ

Police in Australia have charged a man with developing spyware that has been used by over 14.5k people. The 24-year-old man, who has not been identified by authorities, was apprehended by Australian Federal Police (AFP) and charged with six counts of computer crimes in a Brisbane court. He has been accused of developing the Imminent Monitor remote access Trojan (RAT), which was a low-cost but powerful spyware program that could log keystrokes and take over a victim’s computer. “Once the RAT was installed on a victim’s computer, users could control the victim’s computer, steal their personal information, or spy on them by turning on webcams and microphones on devices – all without their knowledge,” according to the AFP. The tool was advertised on hacking forums for about $25. Between 2013 and 2019, when the malware was taken down as part of a coordinated law enforcement campaign, the creator is estimated to have made between $300k and $400k from selling it. The Imminent Monitor “sparked a global law enforcement operation” known as Operation Cepheus, which included more than a dozen European law enforcement agencies as well as the FBI. Globally, 85 search warrants were executed, resulting in the seizure of 434 devices and the arrest of 13 people who used the RAT for criminal purposes. The Imminent Monitor could be installed on a victim’s device through a variety of methods, including phishing.

2.digital.forensics.search.as .part .of .the .operation
The Record

Analyst Comment: The Imminent Monitor RAT author was known by the moniker “shockwave” on HackForums. LGC analysts observed chatter that said the actor was using PayPal when selling malware which may have been how he was caught. There are several “shockwave” user accounts on the underground forums mentioning the use of PayPal until 2020 so it is likely that the user changed their username after the Imminent Monitor takedown if they remained active.

Attackers are posing as trusted applications and stealing credentials to socially engineer victims, according to a Google study of malware submitted to VirusTotal. Google Cloud’s VirusTotal research team uncovered popular methods including the use of legitimate distribution channels to distribute malware and mimicking legitimate applications. By distributing malware through legitimate domains, malware can often slip through traditional perimeter defenses, including domain or IP-based firewalls. Another attack vector is the theft of legitimate signing certificates from legitimate software makers, which are then used to sign the malware. Since 2021, more than 1M signed samples were considered suspicious, according to a new report from the Google team. This is especially worrisome in the case of attackers stealing legitimate certificates, which could potentially enable supply chain attacks. Attackers are increasingly deploying malware disguised as legitimate software, a basic social engineering success gaining traction. When using this method, the application’s icon, recognized and accepted by the victim, is used to convince them the app is legitimate. The popular VoIP platform Skype, Adobe Acrobat, and media player VLC comprised the top three most mirrored app icons, according to the report. The VirusTotal team conducted a similar analysis on URLs using website icon similarity, finding WhatsApp, Facebook, Instagram, and iCloud to be the top four most abused websites by several different URLs suspected of being malicious. Dark Reading

Analyst Comment: Posing as a legitimate application or an update is not a new technique. However, like many other attack vectors, it has been evolving as well. It is easy for an attacker to purchase a legitimate domain. According to a PhishLab research analyzing 100,000 phishing sites, in 38.3% of cases attackers used legitimate domains that had been compromised. Code signing validation bypass also is not a new technique. However, in the past it could mean that the attacker was sophisticated. More recently, attackers have been able to obtain legitimate certificates by claiming to be a business, according to a DUO report. Other techniques, including stealing certificates and mimicking legitimate organizations, remain common, raising concerns around certificate validation. 

Back to the top

Hackers stole ~$200M in cryptocurrency from Nomad, a tool that lets users swap tokens from one blockchain to another. Blockchain security experts described the exploit as a “free-for-all.” Anyone with knowledge of the exploit and how it worked could withdraw tokens from Nomad. Nomad is what’s known as a “bridge,” a tool that lets users exchange tokens and information between different crypto networks. They’re used as an alternative to making transactions directly on a blockchain like Ethereum, which can charge users high processing fees. Instances of vulnerabilities and poor design have made bridges a prime target for hackers seeking to swindle investors out of millions. More than $1B in crypto assets has been stolen through bridge exploits so far in 2022, according to a report from crypto compliance firm Elliptic. In April, a blockchain bridge called Ronin was exploited in a $600M crypto heist, which US officials have since attributed to the North Korean state. Months later, Harmony, another bridge, was drained of $100M in a similar attack. Like Ronin and Harmony, Nomad was targeted through a flaw in its code. But with those attacks, hackers retrieved the private keys needed to gain control over the network and start moving out tokens – Nomad’s case was much simpler. A routine update to the bridge enabled users to forge transactions and extract millions of dollars worth of crypto. CNBC

Semikron, a German manufacturer of power semiconductor components, announced on Monday, August 1 that ransomware had infiltrated its internal network. The attack appears to have been carried out by the LV ransomware gang, considered an offshoot of the now-defunct REvil group, according to a sample of the ransomware used in the attack that was later uploaded on VirusTotal. Risky Biz

Analyst Comment: The semiconductor manufacturing industry has come under pressure given to supply chain complications and, more recently, heightened tensions between China and Taiwan where much of the world’s supply originates. This attack highlights the heightened threat environment for ransomware attacks, even if, as in this case, there is no indication they are carried out with the intent to further strain a critical sector. We have no reason to believe LV targeted Semikron with current events in mind.

CRITICAL INFRASTRUCTURE

ENERGY

An alleged ransomware attack on two Luxembourg-based companies began last week, the latest in a string of incidents involving European energy companies. Encevo Group said Creos, an energy network operator, and Enovos, a supplier, were “victims of a cyberattack on the night of July 22.” The attack took down both companies’ customer portals but had no effect on the supply of electricity and gas, according to the company. The Luxembourg government and several other companies, including China Southern Power Grid International, own Encevo. Creos contributes to the operation of the country’s electricity and gas network infrastructure, while Enovos is Luxembourg’s primary supplier. Alongside the disruptions, Encevo Group wrote in a July 28 press release that a “certain amount of data was exfiltrated from computer systems or made inaccessible by hackers.” According to Emsisoft threat analyst Brett Callow, the Alphv ransomware group, also known as BlackCat, claimed responsibility for the attack on its leak site. They stole 150 GB of data, which included contracts, passports, bills, and emails. Alphv is a rebrand of the popular BlackMatter ransomware group, which was allegedly a rebrand of the DarkSide ransomware – a gang accused of carrying out the high-profile attack on Colonial Pipeline, according to Callow. Separately, the EU Agency for Cybersecurity published a report based on an analysis of 623 incidents in the EU between May 2021 and June 2022. It discovered that during ransomware attacks, 10TB of data was stolen and exfiltrated per month, and that more than 60% of organizations may have paid a ransom.

3.twitter.alphv .aka .blackcat
The Record

Analyst Comment: This incident highlights that critical infrastructure can still be targeted by ransomware groups, despite some cyber criminals claiming that they avoid targeting organizations that are a part of critical infrastructure. Following the Colonial Pipeline hack, DarkSide operators claimed that “they did not mean to cause any harm” and were strictly financially motivated, claiming to ensure that all potential victims would be thoroughly validated to avoid targeting critical infrastructure. However, according to a BlackMatter interview with a blogger known as Russian OSINT, threat actors have their own interpretation of what “critical infrastructure” includes. For example they do not consider agriculture to be critical infrastructure.

Back to the top

WATER

Most town water treatment plants serve less than 50k people; they face the problem of budgetary constraints that prevent administrators from investing in their digital defenses, making them prime targets for cybercriminals. Smaller systems don’t have enough revenue to pay for a plant’s physical and cybersecurity upgrades, and perimeter defenses are not properly segmented. Beyond the monetary concern, there’s a greater fear of physical harm if a cybercriminal were able to gain unimpeded access to a water treatment plant’s system digitally. For example, last year a hacker broke into the Oldsmar, Florida community water treatment plant and remotely elevated the levels of sodium hydroxide. At high levels, sodium hydroxide can seriously damage human tissue. Operators at the plant intervened manually before anything happened, but the incident revealed an important vulnerability in systems across the US. Of all the challenges, encouraging cooperation and information sharing between water organizations is one of the most difficult to overcome. Given the fiscal challenges and the educational shortfall pervasive in the industry, the US government is looking to bolster the defenses of water treatment plants. Earlier this year, the Biden-Harris Administration extended the Industrial Control Systems Cybersecurity Initiative to encompass the water sector. American City & County

Analyst Comment: The incident at the Oldsmar, Florida facility is a great example of how damaging it can be if cybersecurity and information security is overlooked. Security at the facility was described as “extremely lax”, including the use of an end-of-life operating system (Windows 7), lack of firewalls and password policies. Often such issues are caused by a lack of financial resources, making it hard for small town water treatment facilities to invest in cybersecurity upgrades and hire cybersecurity personnel.

FINANCE

Threat actors are targeting market strategies, brokerage accounts, and island hopping into banks in the financial sector, according to a recent report. 130 cybersecurity leaders from financial institutions shared how cybercrime groups have evolved beyond wire transfer fraud to more destructive cyberattacks:

  • Market strategy manipulation: Accessing non-public market information has emerged as a new goal for cybercrime syndicates. In fact, 66% of financial institutions experienced attacks on market strategies. It’s no longer just about wire transfer fraud; cybercriminals are now attempting to gain access to non-public market data in order to digitize insider trading. Additionally, 67% of financial institutions observed timestamp manipulation, also known as a “Chronos” attack.
  • Remote access tools (RATs) and ransomware: A technical analysis in a recent report by VMware’s Threat Analysis Unit demonstrated how RATs aid cybercrime groups in gaining control of systems, particularly in Linux-based environments, to launch ransomware attacks. 74% of financial sector security leaders reported one or more ransomware attacks in the previous year, with 63% of victims paying the ransom.
  • Crypto attacks: With 83% of cybersecurity leaders concerned about the cybersecurity of cryptocurrency exchanges, cryptocurrency exchanges have become the digitized equivalent of a bank robbery. Furthermore, due to a lack of proper regulations, cybercriminals have made money with nefarious exchanges and digital currency easier and faster. These criminals are also using cybercrime to circumvent Western governments’ economic sanctions.

The majority of financial institutions intend to increase their security budgets by 20-30% this year, with extended detection and response (XDR) being their top priority. Additionally, cybersecurity teams and C-level executives need to be communicating on a daily basis, according to the report. Security Info Watch

Back to the top

HEALTHCARE

OneTouchPoint, a mailing services provider that provides services to a number of health insurance carriers and medical providers in exchange for customer information, was hit with a ransomware attack last week, prompting the company to issue a data breach notice on behalf of 34 healthcare organizations. It is unable to say “definitively” what personal information was accessed by the ransomware group. The information included names, healthcare member IDs, as well as information that was provided during health assessments. The incident was reported to law enforcement, according to the notice. OneTouchPoint has not said how many people were affected by the breach in total. No ransomware group has taken credit for the attack. OneTouchPoint said it was providing notice on behalf of an array of medical organizations, while Arkansas BlueCross and BlueShield released its own breach notification in June explaining that 1,423 of its members had their names, addresses, dates of birth, provider names and medical information exposed in the attack on OneTouchPoint. Ransomware attacks on healthcare organizations have continued throughout 2021 and 2022, including recent attacks on a California nonprofit in March by the Hive ransomware group.

4.reported.ransomware.attacks
The Record

GOVERNANCE

USG

CISA and the Ukrainian State Service of Special Communications and Information Protection of Ukraine (SSSCIP) signed a Memorandum of Cooperation (MOC) last week to strengthen collaboration on shared cybersecurity priorities. The MOC expands upon CISA’s existing relationship with the Government of Ukraine in the areas of:

  • Information exchanges and sharing of best practices on cyber incidents;
  • Critical infrastructure security technical exchanges; andnce
  • Cybersecurity training and joint exercises.

CISA

GEOPOLITICS

A Russian court reinstated a ban on using the Tor Browser mobile app within Russian borders. The Russian government ordered Google to remove the app from the official Play Store at the end of May, but the ban was lifted last week following a legal action citing a breach of procedures, only to be reinstated days later. Risky Biz

Analyst Comment: Tor Browser is frequently censored by authoritarian regimes, as it helps all kinds of actors to conceal their identity, including criminals, opposition leaders, journalists, and whistleblowers. Therefore The Tor Project has developed a Tor bridge, along with a step-by-step user guide. It is unlikely that the most recent ban will have a significant effect on the use of Tor Browser in Russia.

Israeli police forces did not violate any laws when they used the NSO Group’s Pegasus spyware in some cases, according to an Israeli government commission. The Israeli government was forced to investigate the police force’s use of the Pegasus spyware after local media reported that the NSO’s tools were used against political activists as well as criminal suspects. Risky Biz

A federal grand jury charged a Russian national with attempting to disrupt US elections since 2014, spreading disinformation to further Moscow’s political goals, and infiltrating various American political organizations to carry out his plans. The indictment, which was unsealed Friday, July 29 in Tampa, Florida, shows a Russian operative engaged in a sophisticated and potentially harmful campaign to undermine American democracy and fuel extremism in the US. According to Assistant Attorney General for National Security Matthew Olsen, the Russian national named in the indictment, Aleksandr Viktorovich Ionov, “allegedly orchestrated a brazen influence campaign, turning US political groups and US citizens into instruments of the Russian government.” The indictment is the “clearest signal yet that Moscow has been fostering separatism and extremist movements in the US,” according to a disinformation expert. Allegations that the Russian intelligence service FSB was “running an agent who was spurring and funneling money to separatist movements like Calexit” are an important development, according to the expert. Calexit is an organization that advocates for California to secede from the US It is referred to as an unnamed California secessionist group in the indictment, but other evidence cited makes clear that the unnamed group is Calexit. The DOJ’s decision to charge Ionov with conspiring to have US citizens act as illegal agents of the Russian government is a sign that other indictments could be coming since conspiracies require accomplices, experts say. Ionov’s program is a mere sliver in what he called “a massive Russian program using espionage, cyber and economic pressure to destabilize the US,” according to an expert. “This is the best documentation that we have that Russia was doing what a lot of people suspected it would be doing behind the scenes, driving wedges in target countries, supporting extremist movements — in this case, secessionist movements,” according to a cybersecurity professor at John Hopkins University. CyberScoop

Analyst Comment: Alexandr Ionov’s actions demonstrate that Russian influence campaigns often seek to sow discord in American politics and society, rather than supporting a specific political party or a movement. Russia uses similar techniques in other regions as well and may have been used in Ukraine leading up to the annexation of Crimea in 2014, and the full-scale invasion in 2022. Lessons learned from previous Russian influence campaigns, including those that targeted Eastern European nations, may help detect such campaigns in future.

Back to the top

LAW & DATA PRIVACY

The Department of Justice is investigating a breach of the federal courts docketing system that occurred in early 2020. Three hostile actors breached the Public Access to Court Electronic Records and Case Management/Electronic Case File (PACER) system, which provides access to documents across the US court system. Panel Chair Jerrold Nadler (D-N.Y.) said lawmakers first learned the breadth and scope of the intrusion in March and that it was not part of the massive SolarWinds breach that was conducted by Russian hackers and impacted a handful of federal agencies, including the Justice Department. Senator Ron Wyden (D-OR) wrote a letter accusing the judiciary of failing to modernize. “I write to express serious concerns that the federal judiciary has hidden from the American public and many members of Congress the serious national security consequences of the courts’ failure to protect sensitive data to which they have been entrusted,” the letter said. Separately, Rep. Sheila Jackson Lee (D-Texas) emphasized the importance of investigating the number of cases that have been impacted by the breach. The Record Info Security

The head of Greek intelligence told a parliamentary committee that his agency had spied on a journalist, in a disclosure that coincides with growing pressure on the government to shed light on the use of spyware, according to two sources. The closed-door hearing was called by the committee last week after the leader of the socialist opposition PASOK party filed a complaint with top court prosecutors about an attempted bugging of his mobile phone with surveillance software. PASOK leader Nikos Androulakis filed his complaint as European Union officials became increasingly concerned about spyware merchants and the use of surveillance software. Panagiotis Kontoleon, chief of the EYP intelligence service, told parliament’s institutions and transparency committee on July 29 that his service had spied on Thanasis Koukakis, a financial journalist who works for CNN Greece, according to two lawmakers present at the hearing. “He admitted the surveillance, absolutely,” one legislator present at the hearing told Reuters on Wednesday, declining to be identified because the meeting was private. According to government spokesman Giannis Oikonomou, Greek authorities do not use the spyware allegedly used in Koukakis’ hacking and do not do business with companies that sell it. Spy services in democracies face constant pressure to be more transparent, including from lawmakers looking to prevent abuse and improve performance, public concern about government surveillance, and, in some countries, a need for agencies to make their work known in order to broaden avenues of recruitment. Reuters Info Security

Researchers and journalists recently warned that a social media network for athletes – Strava – can help anyone identify secretive military bases and patrol routes based on its publicly shared data. This past November, Strava announced a huge update to its global heat map of user activity, revealing 1B activities including running and cycling routes wearing fitness trackers. Some Strava users appear to work for certain militaries or various intelligence agencies, given that knowledgeable security experts quickly connected the dots between user activity and the known bases or locations of US military or intelligence operations. Certain analysts have suggested the data could reveal individual Strava users by name. This could assist potential adversaries in tracking pattern of life for military and intelligence operators. Wired


Back to the top

Get the Cyber Monitor in Your Inbox