One hacker vs. the Hermit Kingdom

Welcome to Changelog for 2/6/22, brought to you by Synack! Blake here, reporting from Washington. It’s been another jam-packed week for cybersecurity news, with a massive crypto heist, a first-of-its-kind NSA interview and some gloomy numbers for a Pentagon supply chain security program. Let’s dive in:

The payload 

Can one person hack a whole nation?

It sounds like a promo for a bad movie, but it’s a real question: Wired reported Wednesday that one anonymous American hacktivist has been single-handedly responsible for recent outages plaguing North Korean-hosted websites and email services.

A better question might be: Should any one person hack a whole nation?

I don’t think so. Hacking a nation-state in your pajamas is the cybersecurity equivalent of free-soloing sheer granite in Yosemite — one wrong move, and you’ve doomed yourself while leaving a mess for someone else to clean up. The hacker Wired identified as “P4x” doesn’t seem too concerned: Stung by a Pyongyang-backed hacking campaign last year that targeted Western security researchers, P4x set out on a revenge mission. He wants to teach the Hermit Kingdom a lesson, coordinating a series of DoS attacks against government targets there.

Cyberattacks launched from the comfort of a home office carry a veneer of safety. What’s the worst that could happen? How would notoriously isolated North Korea possibly retaliate against a lone U.S. hacker? And how much damage could P4x really do, given that the vast majority of North Korean citizens have no internet access? As he emphasized to Wired’s Andy Greenberg, his goal is to “keep NK from hacking the western world completely unchecked,” but not to harm civilians. “My conscience is clear,” he added.

It’s all fun and games until somebody triggers an international crisis. Why would Kim Jong-un have any reason to believe P4x is who he says he is, and not a U.S. version of “lone-hacker”-cum-Russian-intel-officer Guccifer 2.0?

We have enough to worry about without kicking more beehives in cyberspace. To P4x, I’d say: So what if you were targeted by North Korean hackers last year? Let it go.

The week, compiled 

A top NSA official offered his first public comments on cybersecurity R&D priorities in an interview with MIT Technology Review. Gil Herrera, head of NSA’s Research Directorate, was circumspect when it came to specifics about what the high-tech directorate — Technology Review’s Patrick Howell O’Neill likened it to a “small elite technical college” — is pouring money into. Quantum computing breakthroughs, with their potential to break many conventional encryption protocols, are high on the NSA’s list. But so are new mathematical approaches to wrangling Big Data into actionable intelligence.

“Everyone thinks their data is the messiest in the world, and mine maybe is because it’s taken from people who don’t want us to have it, frankly,” Herrera told O’Neill. (Evidently he’s never seen my notebooks.)

Here’s what else we’re reading:

Reuters: The infamous “zero-click” iPhone exploit abused by Israel-based spyware developer NSO Group was replicated by a second, lower-profile Israeli company called QuaDream. The ForcedEntry software exploit allowed attackers — AKA, QuaDream and NSO Group customers — to break into a victim’s iPhone without requiring so much as a clicked link or opened text message. Buyers of QuaDream’s multimillion-dollar “REIGN” spyware included governments known to wield malware against political dissidents, sources told Reuters.

The Wall Street Journal: A sweeping hack of journalists at WSJ, the New York Post, and other News Corp. holdings is suspected to have been led by hackers working to benefit China’s interests, investigators say. The attackers were able to steal reporters’ notes in Google Docs, see story drafts before publication and access emails dating back to at least February 2020, according to preliminary findings. The case offers another chilling reminder of how journalists face heightened hacking risks due to the nature of our work.

Motherboard: Cryptocurrency heists are a dime a dozen, but the latest cyberattack on decentralized finance “blockchain bridge” Wormhole turned heads in the cybersecurity community for its eye-popping $320 million price tag. What’s a blockchain bridge, you ask? Think of it as the roadway used to convert one type of cryptocurrency, like Solana, to another like Ethereum. And last week’s 9-figure heist is a major bridge collapse.

1_wbYIT0sY3PVA9GUi2RmQ1g
“Patriot” missile defense systems are staged during a Nov. 4, 2016 U.S.-led military exercise in Romania. Tech. Sgt. Brian Kimball/Dod News photo/Flickr

README: Only one in four U.S. defense contractors are on track to meet baseline cybersecurity standards set to take effect over the next two years at the Department of Defense. The revelation marks the latest hurdle for the Cybersecurity Maturity Model Certification program, a Trump-era effort to ensure tens of thousands of suppliers to the Pentagon are defended against hackers. Biden pledged a do-over of the program — now dubbed CMMC 2.0 — but the looming compliance process is still fraught with risks for contractors large and small, as Shaun Waterman reports.

The Wall Street Journal: The Biden administration is convening a 15-person “Cyber Safety Review Board” with an all-star list of cybersecurity leaders including NSA cybersecurity director Rob Joyce, Luta Security CEO Katie Moussouris and Kemba Walden, assistant general counsel for Microsoft Corp.’s Digital Crimes Unit. The board’s first order of business is to probe the U.S. response to the bombshell Log4j vulnerability. The panel is loosely modeled after the National Transportation Safety Board, best known for leading independent investigations of U.S. plane accidents — though one cybersecurity CEO noted that the CSRB panel doesn’t feature anyone with deep operational technology or industrial control system expertise, arguably the cybersecurity arena that’s linked closest to safety.

Mandiant: Speaking of ICS security, ransomware extortion sites routinely house sensitive operational data stolen from industrial organizations like power utilities and oil companies. That’s a big problem, because dated OT information can still be useful for attackers. “Even if the exposed OT data is relatively old, the typical life span of cyber physical systems ranges from twenty to thirty years,” Mandiant researchers pointed out in research unveiled last Monday.

Flash memory 

The Winter Olympics kicked off Friday in Beijing, bringing plenty of fanfare but very little natural snow. The cyberthreat forecast is similarly clear, according to some experts, but some past Olympic events have been stormier. Hackers backed by Russia’s GRU spy agency struck the 2018 Winter Olympics in Pyeongchang, South Korea with such guile that Wired later labeled the cyberattack “the most deceptive hack in history.” Olympic Destroyer, as the attack came to be known, ricocheted through key South Korean IT systems ahead of opening ceremonies, leaving behind a trail of false flags to point the finger at North Korea. The worm spread via a potent Windows networking vulnerability, causing collateral damage and even disabling the ski lift at a nearby South Korean resort, as Kaspersky researchers observed. Being from Florida, that’s basically my worst nightmare: I’ll hope for the Beijing athletes’ sake that they can avoid a similar fate.

Local files 

BBC News: European oil facilities faced a barrage of cyberattacks last week, disrupting IT systems in Germany, the Netherlands and Belgium. At least some oil deliveries were affected, and German news outlet Handelsblat reported that the BlackCat ransomware variant was implicated in the attacks there.

CyberScoop: Cisco Talos researchers disclosed a renewed hacking campaign targeting Palestinian organizations, noting that the “Arid Viper” Arabic-speaking threat group is recycling 5-year old tactics with little regard for their conspicuousness.

CultureMap: A $5 million cybersecurity training center is taking shape in San Antonio, a hub of U.S. hacking talent.

Off-script 

Lightning bolt!

The National Oceanic and Atmospheric Administration recorded the world’s longest-ever lightning flash, a 477-mile arc that spanned from Texas to Mississippi on April 29, 2020. The so-called megaflash resembles a supercharged sidewinder as it snakes across the southern U.S.:

1_cBUpR3uS4V9ulgMAHeC18g

A record-setting lightning flash. Credit: NOAA/via YouTube.

That’s it for this week — feedback, tips and hacking tricks are welcome at bsobczak@synack.com. Thanks for reading!