Changelog: Another cyber-enabled power outage
sippakorn yamkasikorn / Unsplash
Welcome to Changelog for 11/9/23, published by Synack! README senior editor Nathaniel Mott here with the week's leading security news.
The payload
Cyber may have played a bigger role in Russia’s invasion of Ukraine than many people thought. Mandiant today reported that Sandworm, the Russia-linked advanced persistent threat responsible for disrupting Ukraine’s power grid in 2015 and 2016 as well as the infamous NotPetya attack of 2017, “targeted a Ukrainian critical infrastructure organization” with “a multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT),” causing another power outage for Ukrainian civilians in October 2022.
Previous reporting suggested that Russian forces were more keen on disrupting Ukraine’s infrastructure the old-fashioned way—bombing them—rather than relying on cyberattacks. Mandiant’s report suggests that Russia may have combined these approaches, at least in the incident the company revealed today.
“While we lack sufficient evidence to assess a possible link, we note that the timing of the attack overlaps with Russian kinetic operations,” Mandiant said. “Sandworm potentially developed the disruptive capability as early as three weeks prior to the OT event, suggesting the attacker may have been waiting for a specific moment to deploy the capability. The eventual execution of the attack coincided with the start of a multi-day set of coordinated missile strikes on critical infrastructure across several Ukrainian cities, including the city in which the victim was located.”
The full report includes additional information about how Sandworm’s approach to compromising ICS / OT networks has changed over time, indicators of compromise and guidance for organizations that rely on similar equipment in their networks. Russia may have preferred the kinetic approach in Ukraine, but it seems more likely to opt for the cyber approach in countries whose critical infrastructure it wants to target with a degree of plausible deniability. (To say nothing of the logistics involved with physical warfare.)
I think Mandiant’s report drives home the point that many of us won’t know the extent to which Russia has used offensive cyber operations as part of its invasion of Ukraine—or how other countries will use similar approaches in their own conflicts—until long after the dust has settled. Mandiant revealed this incident over a year after it occurred, and frankly, I’m surprised it didn’t wait even longer. As much as journalists hate the phrase, this seems like one area where “time will tell” seems apropos.
The week, compiled
It might get a whole lot easier to convince people to use Signal. The encrypted messaging app, which currently requires users to exchange phone numbers if they want to securely communicate with each other, is testing public usernames similar to those used by practically every other social app on the planet.
“If you’ve been following along with the commit messages across our repositories, it’s no secret that we’ve been working on bringing Usernames to Signal for a while now,” Signal vice president of engineering Jim O’Leary said in a community forum post. “After rounds of internal testing, we have hit the point where we think the community that powers these forums can help us test even further before public launch.”
Adem AY / Unsplash
This change would address my biggest frustration with Signal. I don’t want to give out my phone number—especially to public relations agencies that would be all too happy to call, text and otherwise bother me several times for every one of their clients’ announcements. But I do want to be able to communicate with potential sources over a secure platform.
Here’s to hoping the public username feature moves through the development process quickly.
Meanwhile, the week in README:
Commit 11_6_2023: Updates on the most recent Okta breach, the possibility that data brokers represent a threat to national security, a vulnerability in Atlassian’s Confluence product sees mass exploitation, the Cybersecurity and Infrastructure Security Agency sees an uptick in zero-day exploitation and the U.S. joins South Korea and Japan in looking to contain the threat posed by North Korean hackers.
Commit 11_8_2023: Atlassian confirms that Confluence vuln is being used to distribute ransomware, Microsoft Authenticator is updated to prevent suspicious login requests from reaching end users, U.S. Immigration and Customs Enforcement agents were caught installing third-party software on government-issued smartphones and details about new malware used by North Korea.
A message from Synack
How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.
Flash memory
Mozilla released the first version of its Firefox browser on Nov. 9, 2004, which means it’s only six months older than Fall Out Boy’s “From Under the Cork Tree.” (To any fellow millennials reading this: We’re all old now. Probably oughta start keeping an eye on those hips, everyone!)
Many iterations of Firefox have followed; Mozilla released version 119 of the browser on Nov. 7. Despite that longevity, StatCounter analytics show that Firefox only accounts for 3% of the browser market, while Google Chrome represents over 63% and Apple’s Safari makes up just under 20%.
But that doesn’t mean Firefox should be overlooked. If anything, the presence of an open source browser with no connection to Chrome is more important than ever. (Many of its contemporaries, including Microsoft Edge, Vivaldi, etc. are built on top of the same Chromium foundation as Google Chrome itself.)
I don’t think it’s controversial to argue that Google shouldn’t be handed de facto control over the web simply because its browser is so popular. Mozilla has provided a viable alternative in Firefox for the last 19 years; I’d like to see it continue to do so for another 19 if only so the web itself can remain open.
Local files
The Record: New York’s Attorney General got US Radiology to agree “to pay a $450,000 fine after a 2021 ransomware attack led to the exposure of sensitive information from nearly 200,000 patients,” as The Record put it, as part of the state’s ongoing efforts to hold companies accountable for their cybersecurity.
BleepingComputer: The FBI said this week that ransomware gangs are “exploiting vulnerabilities in vendor-controlled remote access to casino servers” and “companies victimized through legitimate system management tools to elevate network permissions” as part of ongoing attacks on the sector following the high-profile hacks of MGM Resorts and Caesars Entertainment in September.
Off-script
I’ve never been particularly interested in watching sports. My family used to catch the Super Bowl, but that was mostly because my parents liked the commercials. (Including this gem of a Sprint ad that lives rent-free in my head 17 years later.) So it’s been well over a decade since I was even that engaged.
And then I discovered the Premier League.
Nelson Ndongala / Unsplash
I’m not sure what prompted it. Maybe it was the first season of “Blue Lock” being such a fun show to binge. Maybe it was the latest rewatch of “Ted Lasso” making me have a feeling again. But for some reason, a few weeks ago I decided it was time to start following a Premier League football club.
Lacking any historical connection to these clubs, I somewhat arbitrarily decided to follow Arsenal. Now I’m committed, and honestly? It feels weird to suddenly care about, well, any of this. What’s next, following a rugby team? Finally learning what cricket is? Who have I become?