Changelog: Volt Typhoon threat is the real deal
Damon Lam / Unsplash
Welcome to Changelog for 2/15/2024, published by Synack! README senior editor Nathaniel Mott here from the once-again-frozen backwoods of upstate New York with your week in cyber.
The payload
Dragos CEO Robert M. Lee strikes me as a no-nonsense kind of guy. He’s known for his candid assessments of threats to critical infrastructure—I don’t think many cyber executives would say on-the-record that a group targeting industrial control systems is an “asshole” that nobody likes—and he doesn’t usually come across like he has something to sell you (even when he is repping Dragos).
So when Lee said on a call with reporters earlier this week that he would “endorse and agree with” the U.S. government’s assessment of the threat posed by Volt Typhoon, well, I paid attention. (He was actually referring to a group Dragos tracks as VOLTZITE, which is said to “overlap” with Volt Typhoon, but I don’t want to unpeel the onion that is attributing cyber operations to a particular threat actor.)
A quick refresher: Volt Typhoon first came on my radar when The New York Times reported in July 2023 that, according to numerous U.S. officials, “the Biden administration is hunting for malicious computer code it believes China has hidden deep inside the networks controlling power grids, communication systems and water supplies that feed military bases in the United States and around the world.”
U.S. cyber leaders mentioned Volt Typhoon in a broader warning to Congress about the threat China poses to America’s critical infrastructure on Jan. 31. Then, a few days later, the Cybersecurity and Infrastructure Security Agency said that it and its partners have found data suggesting that China is “positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.”
Lee echoed those warnings earlier this week.
“What is concerning to us is not that they deployed very sophisticated capabilities to do destruction yet,” Lee said. “That's not the concern. The concern is the targets they picked... are very strategic targets. It's not a spray-and-pray type approach of just finding people to compromise. It is specifically looking at sites that would be of strategic value to an adversary looking to hurt or cripple U.S. infrastructure."
More information about VOLTZITE / Volt Typhoon’s activity can be found in a Dragos report on the group, in which the company said it “poses a credible threat to critical infrastructure operators in the United States and jurisdictions within the threat group’s strategic interest” even though “they have not yet displayed actions or capabilities designed to disrupt, degrade, or destroy ICS/OT assets or operations.”
The week, compiled
Google published on Feb. 14 a report titled “Tool of First Resort: Israel-Hamas War in Cyber.” The report was informed by observations from the company’s Threat Analysis Group, Mandiant and Trust & Safety Teams, and it shows how even though cyber operations have been an aspect of the Israel-Hamas war, it’s played a different role in that conflict than it has in Russia’s invasion of Ukraine.
“In the Israel-Gaza region, we did not observe a spike in cyber operations against Israeli targets before the attack, in stark contrast to Ukraine, where we saw a large increase in Russian cyber threat activity targeting Kyiv in the lead up to the invasion,” Google said in the report (PDF). “In addition, we saw no indication that cyber activity was integrated into Hamas battlefield operations, or that cyber was used to enable kinetic events. In comparison, we saw Russian cyber threat actors launch coordinated cyber attacks against Ukrainian targets before missile strikes.” (As Wired reported in November 2023.)
Cole Keister / Unsplash
Much of the report focuses on Iran’s efforts to support Hamas with campaigns targeting organizations throughout Israel, the U.S. and their allies, to varying degrees of success. It also includes an overview of activity that’s been attributed to Hamas-affiliated groups and broader campaigns targeting Israel.
Google wasn’t the only company focused on threats against Israel this week. Intezer shared information about a campaign “impersonating the Israeli National Cyber Directorate [...] distributing multi-platform malware, including Windows and Android wipers, to distribute anti-war propaganda and an attack ad against [Israeli Prime Minister Benjamin] Netanyahu” on the platform formerly known as Twitter on Feb. 12. HarfangLab shared its analysis of some of the malware samples Intezer shared (plus some related samples) on Feb. 14.
Now for some of the leading stories of the week:
The Register: Microsoft’s Patch Tuesday arrived on Feb. 13 with fixes for a pair of zero-days intermingled with 71 other vulnerabilities. Actually, make that three zero-days, because Microsoft updated its advisory for an Outlook bug to say that it was actively exploited before the company released these patches. Rapid7 has a breakdown of the vulns Microsoft discloses, as does CrowdStrike.
KrebsOnSecurity: I don’t usually say “oof” when I read the news. Brian Krebs’ report on U.S. Internet “publishing more than a decade’s worth of its internal email — and that of thousands of [its] clients — in plain text out on the Internet and just a click away for anyone with a Web browser” was an exception. (And a helpful reminder that someone assuring you their services are secure means diddly squat.)
Eclypsium: Palo Alto Networks revealed the addition of a UEFI bootkit to the Glupteba malware on Feb. 12. Now firmware security specialists Eclypsium have published their breakdown of the bootkit’s capabilities, including the impression that the “ability of the malware to bypass Windows security features such as PatchGuard and DSE (Driver Signature Enforcement) is especially concerning.”
CyberScoop: Microsoft and OpenAI both warned this week that “ hackers from China, Iran, North Korea and Russia are exploring the use of large language models in their operations,” as CyberScoop put it. But, as Michael Taggart noted on Mastodon, the companies also said that these attacks weren’t particularly significant and that the LLMs barely offered a leg-up over traditional tooling. So don’t panic just yet.
A message from Synack
Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.
Flash memory
International Business Machines celebrated its 100th birthday on Feb. 13. Well, kind of. I like IEEE Spectrum’s retelling of the company’s origin as Computing-Tabulating-Recording Co. before its Feb. 13, 1924 name change, which is what it celebrated on Tuesday. The centennial proper was observed in 2011. The strange thing for me is that aside from mainframes, I associate IBM with keyboards and typefaces.
The keyboard association comes from the IBM Model M that debuted in 1985. People are fanatical about this keyboard, and if you aren’t looking to restore an original Model M, you can buy a modern version from Unicomp for $125. The peripherals market is constantly evolving, so the ongoing commitment to a nearly 40-year-old design that clacks so loud it’s sure to annoy everyone in your vicinity is pretty telling.
The typeface association comes from IBM Plex. I haven’t used that font myself, but it informed the design of Information Architects’ custom iA Writer family of typefaces, which I used for pretty much everything I wrote between 2017 and 2020. I should probably add IBM Plex Mono to the rotation of monospaced typefaces I use now; it has a distinctive character that I like despite its undeniable corporate aesthetic.
Local files
TechCrunch: Somewhere “between 235,000 and 470,000 customers” of Southern Water had some information—potentially including “dates of birth, national insurance numbers, bank account details and reference numbers”—stolen in January. The company’s been tight-lipped about just how many customers have been affected, though, or exactly what the hackers accessed. We should learn more later.
The Record: NSO Group’s in the news again. This time it’s because Poland prime minister Donald Tusk said on Feb. 13 that “the prior administration illegally deployed Pegasus spyware” to “track a ‘very long’ list of targets” in flagrant violation of the Polish constitution. Tusk reportedly shared some of the uncovered documents (a “sample”) with Poland’s justice minister and prosecutor general.
BleepingComputer: The first time I clicked that link it said a ransomware attack had taken 18 hospitals in Romania offline. Then I refreshed it a few hours later and it said that 25 hospitals were offline. Then—and this appears to be the final count—it rose to 100 hospitals being disrupted. (Although 75 of those were taken offline as a precaution rather than as a result of direct attacks.) Not a great week for Romanians.
Off-script
This morning I finished Cory Doctorow’s novel “Red Team Blues” in the precious minutes between getting my kid ready for school and getting myself ready for work. I’ve been reading Doctorow’s nonfiction work since I started covering the tech industry in 2011, and I’ve watched his term “enshittification” become part of the terminally online’s lexicon, but this is the first time I’ve read any of his fiction.
Mikołaj / Unsplash
I won’t spoil the plot, but I think it’s safe to reveal that Doctorow wastes no time skewering the cryptocurrency-fetishizing tech bros who have taken over public discourse. I’ve made no secret of my disdain for pretty much everything cryptocurrency-related, and I’m a sucker for having my beliefs echoed back at me, so that was all it took to ensure I’d read through “Red Team Blues” in its entirety.
It was pretty good! Anyone who’s at least passingly familiar with the security industry will probably appreciate that Doctorow walks the line between “I’m going to namedrop Signal and Tor for street cred” and “spending too much time explaining arcane technologies to people who either already understand them or don’t care about them,” while also delivering on a fun, easy-to-follow plot. Check it out.