Commit 12_04_2023: U.K. nuclear site hacked (or not)

Dasha Urvachova / Unsplash

Welcome to Commit 12_04_2023! README senior editor Nathaniel Mott here with a cup of cheer… or, no, actually it’s the leading cybersecurity news.

The Guardian: UK nuclear site hacked by China, Russia


Don’t call it Stuxnet 2.0: The Guardian today reported that “the UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China.” The outlet said authorities don’t know when exactly the site was compromised—which is never particularly comforting—and that there were signs of it being hacked as early as 2015.

The Guardian said that Sellafield “has the largest store of plutonium on the planet and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.” Now it should be assumed that at least China and Russia have stolen information about the facility, according to the report, though it’s not clear what data might have been compromised.

Reuters: U.K. says nuclear site wasn't hacked, actually

The British government—and, separately, Britain's Office for Nuclear Regulation—both said in statements to Reuters that they have "no records or evidence to suggest that networks at the Sellafield nuclear site were the victim of a successful cyber attack by state actors." They also threw a bit of shade at The Guardian for reporting that Sellafield had been hacked.

"Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system," the British government said in a statement to Reuters. "This was confirmed to the Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting." So we'll see how this all shakes out.

DOJ: Trickbot developer pleads guilty

The U.S. Department of Justice announced on Nov. 30 that Vladimir Dunaev pleaded guilty “to his role in developing and deploying the malicious software known as Trickbot, which was used to launch cyber-attacks against American hospitals and other businesses.”

The U.S. and U.K. both filed sanctions against seven individuals associated with Trickbot which, as I noted at the time, was the first time the U.K. had sanctioned a ransomware gang. (The U.S. previously filed sanctions against Evil Corp in 2019; the group is widely believed to have rebranded so their victims would be more inclined to pay ransoms.) Dunaev is set to be sentenced on March 20, 2024.

BleepingComputer: HHS warns hospitals about CitrixBleed

It’s well past time for organizations to have patched against the “CitrixBleed” vulnerabilities in Citrix’s NetScaler ADC and NetScaler Gateway appliances. Many still haven’t gotten the memo, however, and BleepingComputer reported on Dec. 2 that the U.S. Department of Health and Human Services has told hospitals “to upgrade to prevent further damage against the Healthcare and Public Health (HPH) sector.”

CitrixBleed was publicly disclosed on Oct. 10. Mandiant said it’s been actively exploited since at least August. Although I understand that organizations can’t always patch their products right away (and healthcare security budgets may be stretched thin), continuing to run vulnerable instances of these appliances two months later strikes me as unconscionable, especially in a sector that can put people’s lives at risk if operations are disrupted via a cyberattack. 

The Record: Microsoft says the Kremlin is hacking Outlook systems

Speaking of patching your software: The Record today reported that Microsoft says Kremlin-backed hackers are continuing to exploit CVE-2023-23397, a vulnerability in Outlook for which the company released a patch in March, so they can read through their targets’ emails. (The campaign has been attributed to a group tracked as Forest Blizzard, APT28 and Fancy Bear.)

Most organizations probably shouldn’t be running Outlook themselves anyway. But if they’re going to, they should certainly be applying patches some nine months after their release, right? I wouldn’t consider that an unreasonable expectation—but between the CitrixBleed warning and this one, I guess it is, at least for some organizations. Sheesh. Maybe this latest warning will give ‘em the kick they need.