Bracing for cyberattacks as Russia readies for war

Illustration: Si Weon Kim

Welcome to Changelog for 2/13/22, published by Synack! I’m your host, Blake. From some pretty serious Apple patches to a disheartening update on the Log4j vulnerability’s long tail, last week’s threat level was tomato. Here’s what’s driving the news:

The payload

With Russia amassing 100,000 troops along Ukraine’s border, U.S. intelligence officials have warned a bloody ground invasion may be imminent. That’s bad enough on its own, but there’s also the grim expectation that Moscow will pair a physical attack on its neighbor with sophisticated cyberattacks that could spill beyond Ukraine’s borders.

“As we know, the Russians have used cyber as a key component of their force projection, to include disabling or destroying critical infrastructure,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said on Twitter yesterday, urging U.S. companies to batten down the hatches.

There’s plenty of alarming precedent. In December 2015, hackers later linked to Russia launched a first-of-its-kind cyberattack on Ukraine’s grid, briefly knocking out electricity to some 250,000 people.

Documents I obtained via the Freedom of Information Act shed new light on the U.S. response to that hack. A delegation of U.S. officials and electricity industry representatives visited Kyiv in early 2016 to uncover details of the attack and assess the risk to American power providers in an attempt to head off a similar attack half a world away, as I report for README.

But what’s the current danger to U.S. critical infrastructure? While variants of the same BlackEnergy malware deployed in Ukraine six years ago had been uncovered in American utilities, a cyberattack isn’t known to have ever caused a U.S. power outage. For all the dire warnings of Russian malware “implants” in vital U.S. networks, they have either never been used or never existed.

But if they are really there, waiting to be triggered — this week could get messy. I won’t be holding my breath for any widescale U.S. disruptions, but it might not be a bad idea to heed CISA’s “shields up” mantra anyway.

The week, compiled

Heather Morgan, a bubbly, extremely online 31-year-old rapper and self-described influencer, has been accused of laundering billions of dollars’ worth of cryptocurrency alongside her husband, Ilya Lichtenstein, U.S. law enforcement authorities announced last week.

Vice led a deep dive into the colorful world of Morgan, AKA Razzlekhan, whose arrest on Tuesday set off a social media firestorm as people poked fun of her cringeworthy music videos. (“Blindly following rules is for fools / ‘Stead I work the edge cases with my tools,” she raps in one, which has since been made private on her own YouTube channel.)

1_qpfAWWy3pdqc8G_7aT6XGQ
A still from one of Heather Morgan’s music videos. Via Razzlekhan/YouTube

The contrast between Morgan’s plucky online persona and the magnitude of her alleged crime — laundering around $4.5 billion in Bitcoin stolen from the Bitfinex exchange in 2016 — is a reminder that fraudsters come in all varieties. Even the bizarro wrath of Razzlekhan couldn’t stop authorities from reclaiming over $3.6 billion linked to the Bitfinex hack.

Here’s what’s happening outside the “Razzleuniverse”:

CyberScoop: The IRS backpedaled on a plan to use facial recognition to verify user accounts. The agency said it will transition from relying on third-party verification company ID.me after facing pressure from cybersecurity and privacy advocates — not to mention more than a dozen lawmakers.

Bloomberg: Microsoft is zeroing in on a multibillion-dollar acquisition of Mandiant a month another announcing its high-profile acquisition of Activision Blizzard. Shares of Mandiant jumped on the news Tuesday, though sources told Bloomberg that a deal has not been finalized.

E&E News: Tom Fanning, CEO of utility holding company Southern Co., has stepped down as head of the influential cybersecurity-focused Electricity Subsector Coordinating Council, a key conduit for channeling secretive government threat information to U.S. and Canadian electricity providers. Bill Fehrman, CEO of Berkshire Hathaway Energy, will take Fanning’s place as ESCC co-chair.1_aNMWR1tTjmfxbGjsDXT3pw

Thousands of users are still downloading vulnerable versions of the Java-based Log4j logging tool. Illustration: Si Weon Kim

The Wall Street Journal: Vulnerable versions of the open-source Log4j software tool are still being downloaded at a breathtaking pace, with thousands of organizations evidently missing the memo on December’s patches. As one cybersecurity CEO told the Journal: “That’s pretty terrible.”

Flash memory

On March 5, 2020, a bipartisan group of lawmakers led by Sens. Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.) introduced legislation to pressure the tech industry to crack down on child exploitation online. But the so-called Earn It Act drew a hail of criticism from critics who said it would hamper free speech and set back use of encryption. The bill would have made tech companies potentially liable for offering strong encryption to their users, on the basis that end-to-end encryption could be used to share content involving child sexual exploitation.

Back then, the legislation never advanced out of committee. But last week, a reincarnation of the Earn It Act sailed through the Senate Judiciary Committee, as the Washington Post reported. The 2022 version of the bill is again igniting a fierce debate over encryption, privacy and Section 230 of the Communications Decency Act, which broadly governs how tech giants must handle objectionable content shared on their sites.

Local files

The Springfield [Mo.] News-Leader: Prosecutors declined to file charges against a St. Louis Post-Dispatch reporter who sounded the alarm about sensitive data exposed in a state education website. Missouri Gov. Mike Parson (R) branded the reporter, Josh Renaud, a “hacker” worthy of criminal punishment despite the fact that Parson pretty much just pressed F12 to reveal a trove of Social Security numbers. “This was a political persecution of a journalist, plain and simple,” Renaud said in a statement Friday.

The Albuquerque Journal/AP: New Mexico lawmakers have advanced a bill to set aside $45 million to boost school district cybersecurity after a series of recent ransomware attacks blocked access to student records.

AP: Poland is launching a Cyber Defense Force that, despite its name, will be authorized to carry out offensive actions in the interest of protecting Poland’s Armed Forces from hackers.

Off-script

Having grown up in sunny Florida, I watch the Winter Olympics with a mix of trepidation and awe. I’m about as graceful on ice skates as a Roomba on stairs. (Though I shouldn’t be too hard on Roombas, as just about any robot — even a 2000s-era Honda ASIMO — could beat me on the slopes or in the rink.)

So when American figure skater Nathan Chen moved like this after completing who-knows-how-many spins and jumps already, I dropped my jaw.

 1_LjG1oQwG1T_q8Ject_qsfg
Via Tenor.com

That’s it for this week — tips, feedback, and Discount Candy Day deals are all welcome: bsobczak@synack.com.