CyberWire Daily - China sets sights on US critical infrastructure.
Episode Date: December 11, 2023China allegedly targets US critical infrastructure, while a small Irish village goes without water due to an Iranian CyberAv3ngers attack. The EU sets a global precedent with new AI regulations. Unrav...eling the latest maneuvers of the Lazarus Group. The Sandman APT's links to Chinese cyber threats. "5Ghoul" vulnerabilities represent a new challenge in telecom security. The deceptive dangers of the MrAnon infostealer in a booking app. The GRU's phishing tactics lead to the spread of Headlace malware. On today’s Solution Spotlight segment, Kristie Grinnell from DXC Technology talks with N2K’s President Simone Petrella about DXC’s “All in on Cyber” program. And 23andMe's controversial update to its terms and conditions. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Solution Spotlight segment, Kristie Grinnell from DXC Technology talks with N2K’s President Simone Petrella about DXC’s “All in on Cyber” program. Kristie is DXC’s Senior Vice President and Chief Information Officer. Selected Reading China’s cyber army is invading critical US services (Washington Post) Hackers hit Erris water in stance over Israel (Western People) FBI: Cyberattack against Aliquippa water authority was a targeted 'escalation' on overlooked technology (Post Gazette) White House aide says Iranian hack of US waterworks is call to action (C4ISRNet) EU reaches deal on landmark AI bill, racing ahead of US (Washington Post) Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang (Cisco Talos) Sandman APT | China-Based Adversaries Embrace Lua (SentinelOne) 5Ghoul : Unleashing Chaos on 5G Edge Devices (Singapore University of Technology and Design) MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF (Fortinet) ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware (Security Intelligence) 23andMe changes terms of service amid legal fallout from data breach (Axios) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
China allegedly targets U.S. critical infrastructure
while a small Irish village goes without water due to an Iranian cyber-avengers attack.
The EU sets a global precedent with new AI regulations, unraveling the latest maneuvers of the Lazarus Group, the Sandman APT's links to Chinese cyber threats.
Five ghoul vulnerabilities represent a new challenge in telecom security.
The deceptive dangers of the Mr. Anon info stealer in a booking app.
The GRU's phishing tactics lead to the spread of headlace malware.
On today's Solutions Spotlight segment, Christy Grinnell from DXC Technology talks with N2K's president Simone Petrella about DXC's all-in-one cyber program and 23andMe's controversial update
to its terms and conditions.
It's Monday, December 11th, 2023. I'm Dave Bittner, and this is your CyberWire Intel Briefing. We begin today with reporting from the Washington Post that the Chinese military is intensifying efforts to compromise key American infrastructure,
such as power, water utilities, communications, and transportation systems.
industry security officials, hackers linked to China's People's Liberation Army have infiltrated computer systems of about two dozen critical entities over the past year. These cyber
intrusions are seen as preparations for potential chaos or logistical disruption in case of a U.S.-
China conflict, particularly in the Pacific region. Targets include a Hawaiian water utility, a major West
Coast port, and an oil and gas pipeline. There were also attempts to breach the Texas power
grid operator. These actions are part of the broader Volt Typhoon cyber campaign, first
detected by the U.S. government about a year ago. The campaign's focus appears to be on targets within the Indo-Pacific
region, including Hawaii. These intrusions haven't affected critical operational systems or caused
disruptions, but indicate an intent to complicate U.S. military efforts or cause internal chaos
in the event of a conflict, especially concerning Taiwan. The hackers typically conceal their activities,
aiming to maintain access for potential future attacks. This shift in Chinese cyber activity
from espionage to potential infrastructure disruption marks a significant strategic change.
The U.S. intelligence community has warned that China could launch cyber attacks to disrupt critical U.S. infrastructure
in a major conflict scenario. The Volt Typhoon campaign has affected not just large entities,
but also smaller companies across various sectors, hinting at an opportunistic targeting approach.
Chinese military strategists have discussed using cyber tools in conflict scenarios, including amphibious
invasions and disruption of military logistics and command networks. This aligns with the current
observed activities and targets of Chinese cyber operations. In response, the U.S. government is
working to improve coordination with the private sector and tech companies to detect and counter
these threats.
Efforts include issuing mandatory cybersecurity rules for critical industries and encouraging better practices such as mass password resets
and secure multi-factor authentication.
The U.S. and its Five Eyes intelligence allies have issued advisories
to help detect and mitigate such intrusions,
emphasizing the need
for collective vigilance and information sharing in protecting critical infrastructure.
And speaking of critical infrastructure, a cyber attack, likely the work of the Iranian group
Cyber Avengers, disrupted the water supply for 180 homes in the Aris area, Ireland,
supply for 180 homes in the Arras area, Ireland, by targeting a Eurotronics Israeli-made water pumping system. The hackers reportedly targeting the system due to its Israeli origin caused the
Binghamstown drum water scheme to lose service for two days. The attack was discovered when a
caretaker saw a message stating, you have been hacked, and anti-Israel sentiments displayed on the pump house screen.
Noel Walsh, a member of the water scheme,
noted the absence of the usual phone alerts during the incident.
The group's firewall security was possibly insufficient,
and efforts are underway to enhance their cyber defenses.
The restoration of water supply on Friday night brought relief after significant inconvenience.
The U.S. FBI has highlighted similar attacks as part of a rising trend in cyber attacks linked to geopolitical tensions,
citing an incident in Pennsylvania as a significant escalation.
Deputy National Security Advisor Ann Neuberger emphasized the needs for improved cybersecurity practices
to counteract growing criminal and international threats.
The European Union has achieved a significant milestone
by reaching an agreement on a comprehensive law
to regulate artificial intelligence,
potentially setting a global standard.
This AI Act is designed to manage
risk, enforce transparency, and impose financial penalties on non-compliant tech companies.
It targets high-risk AI applications in sectors like self-driving cars and medical equipment,
requiring companies to disclose data and undergo stringent testing.
The law aims to balance innovation and protection,
addressing the challenges posed by large-scale AI models like ChatGPT.
It includes provisions banning the creation of facial recognition databases from Internet or security footage,
with certain exceptions for law enforcement in specific cases.
While the AI Act has been welcomed as a model for global AI regulation,
it has also raised concerns about potentially stifling innovation
and hindering Europe's competitive edge in AI development.
The legislation offers exemptions for open-source AI models
and imposes additional obligations on proprietary models
deemed to have systemic risk. Companies violating the AI Act could face fines of up to 7% of their
global revenue. This law underscores Europe's leadership in tech regulation, following other
impactful legislations like the General Data Protection Regulation, the GDPR,
the AI Act is expected to influence AI legislation in other regions, including the United States,
where the approach to AI regulation has been more incentivizing than restrictive.
The law will take two years to be fully implemented and will require EU countries to establish national and regional bodies to
regulate AI. The European Parliament is set to pass this legislation before the upcoming
legislative elections. Cisco Talos has uncovered a new campaign called Operation Blacksmith by
North Korea's Lazarus Group, targeting the manufacturing, agricultural, and physical
security sectors. This campaign involves at least three new malware families developed in
D-Lang, including two remote-access Trojans. One of these rats uniquely uses telegram bots
and channels for command-and-control communications. Researchers have identified
similarities with previous operations by Lazarus's subgroup and Dariel, known for initial access, reconnaissance, and establishing long-term espionage channels to support North Korea's governmental interests.
Microsoft and PwC have identified connections between the Sandman advanced persistent threat and the suspected Chinese threat actor Storm 0866 Red Dev 40. These links are based on
overlapping targets, shared practices in controlling and managing command and control
infrastructure, and coexistence on compromised systems. The research highlights the intricate nature of the threat landscape in China,
characterized by significant cooperation and coordination among various groups.
It also suggests the potential involvement of third-party vendors
in supplying operational tools to these groups.
Despite recognizing Sandman's association with Chinese adversaries known for using the key plug malware, the researchers continue to track Sandman as a separate entity until more definitive evidence emerges.
Researchers from the Singapore University of Technology and Design have identified vulnerabilities in the firmware of 5G mobile network modems produced by Qualcomm and MediaTek,
as reported by Bleeping Computer.
These flaws, collectively called 5GOOL, pose a risk of service disruptions or network downgrades.
The researchers discovered that over 710 smartphone models currently available are affected by these vulnerabilities.
They also caution that the actual number of impacted models could be higher,
considering that firmware code is often reused across different modem versions.
Fortinet researchers have identified a phishing campaign
that employs fake hotel booking notifications to distribute the Mr. Anon
information stealer. This campaign primarily targeted Germany, as indicated by the significant
number of URL queries from the region, particularly in November of 2023, suggesting increased and
aggressive activity during that month. Mr. Anon is designed to steal sensitive information from
victims, including credentials, system data, browser sessions, and cryptocurrency extensions.
IBM's X-Force has reported that ITG-05, likely a Russian state-sponsored group,
is conducting a phishing campaign using themes related to the Israel-Hamas war
to spread the Headlace backdoor. This group is associated with APT28, UAC28, Fancy Bear,
and Forest Blizzard. Headlace, identified by CERT UA in September, comprises a.cmd dropper,
comprises a.cmd dropper, a.vbs launcher, and a.bat backdoor. The campaign targets humanitarian aid organizations, mainly in Europe, with geographically specific attacks designed to
open only in certain countries. Nearly all of the targeted countries are United Nations Human
Rights Council members. This focus is likely due to Russia's interest in the Council's
potential actions against its activities in Ukraine. X-Force anticipates the continuation
of similar campaigns. Coming up after the break on today's Solution Spotlight segment,
Christy Grinnell from DXC Technology talks with N2K's President Simone Petrella
about DXC's All In on Cyber program.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
In today's Solutions Spotlight segment, N2K's President Simone Petrella speaks with Christy Grinnell from DXC Technology.
They're talking about DXC's All In on Cyber program.
I am so excited to be here today with CIO of DXC, Christy Grinnell.
Christy, thank you so much for joining me today.
Thank you so much for having us, Simone. It's great to be here and one of my favorite topics.
Can you tell us a little bit about yourself and your journey into the IT space?
Absolutely. So I am the CIO at DXC Technology, which is an IT solutions and services provider.
We do technology from the bottom of the technology stack, storage,
compute, network, all the way up to the top of the stack, analytics and engineering.
So we have 130,000 employees across 80 countries, which are really servicing most of the Fortune
500 in some way with their technology needs. And myself, I grew up in technology from a business analyst and strategy
perspective. So I'm actually not technical, Simone. I can't code. I can't design an architecture. I
can't do anything like that. But I can ask a lot of questions and ensure we really focus on
the business problems we're trying to solve and really growing our
company. I love though that you say that off the bat. Also, I'm going to call you out a little bit
because I know you do have a degree in mechanical engineering. So to say you're not technical,
maybe not in coding, but I'm going to call you out. I don't think that's true.
I have the problem solving capability and I was a mechanical engineer for
three years at General Motors. And then I recognized that I was maybe more of a people person
than I was an engineer who could design machines. So I went back to business school. But, you know,
just always taking that, you know, methodical approach to solving problems, creative thinking and finding the right answer for the company, regardless of the problem we're trying to solve.
Well, I think that's a great backdrop for the discussion that we wanted to have today around kind of people and how companies, especially DXC, think about sort of leveraging people, especially as we tackle what is arguably, you know, a chronic workforce gap that we have struggled with
in cybersecurity in particular, but STEM. And I think not only STEM in general, but especially
for women and underrepresented talent. So I'm kind of taking it into a few directions there.
But one of the things I know DXC has focused on, and I've heard you speak a lot about in talks that you've
given, is how much the focus is in your firm and in your company on transformation and how people,
in being a people person, it just drives everything that you all do. And I'd love to
see if you could share a little bit more about some of the initiatives that DXC has in flight that embody that philosophy.
Absolutely.
So one of the reasons I actually joined DXC is for the values that we have as a company and what I saw across our leadership.
And one of those is to care for our employees first and foremost.
And that means that we take care of each other and that we're very inclusive. That matters because in order to bring diversity to the table, in order to have
diversity of thought, people need to feel that they are being cared for and that they are included
and that their voice is wanted at the table, right? So that's the first part. The other two
values that really matter here are to collaborate and do the right thing.
And I just firmly from my heart believe that in order to do the right thing, that is to accept
people for who they are with all of their good, all of their bad, but all of that experience,
all of that culture, all of that viewpoint that they can bring, that's what drives innovation.
So I started by saying that, you know,
I'm a problem solver. I'm a decision maker. I can, you know, have creative thinking. But the
more we bring that around the table, the better off we are. And it is a problem when you look at
the technology field, you know, the majority of the technology field around the world has
less than 30% women. We make up 50% of the workforce,
Simone, that just doesn't sit right with me, right? And it's not because I'm like, hey,
you know, we need to do this, but that means we're missing important perspective and viewpoints
that will help us to solve more problems for businesses, to create more opportunity around the world in order to drive new things.
So I think, you know, for me, I sit on the STEM for Her advisory board.
I'm the executive sponsor of our Women Empowered employee resource groups here at DXC, which
are a big part of what we do.
But we also have programs like our Dandelion program, which is looking at neurodiverse
abilities and
how can we leverage those in the workforce? Because we know there's a lot of untapped talent there
who can do some really great things. So I think if we all just open our mindset, which is what
we're trying to do at DXC to care for people and the experience that they bring and allow that voice
to be heard at the table, you just never know what we're going to do.
And I know that at the end, we'll all do the right thing.
I love to hear about companies that are really kind of taking on that responsibility to sort of grow the talent.
It's always so frustrating to me when I am in situations or conversations where we're able to talk about the talent gap.
And everyone goes like, here are these opportunities for individuals.
They just need to take the bull by the horns.
And I'm like, no, we have to create an environment that allows them to do that and have something
on the other side.
And a lot of people don't know, right?
When you hear about IT, a lot of people think, especially IT, but also like STEM, just engineering
the math side of it, the technology
side, a lot of people, number one, have fear of it because they don't know what they don't know.
The other fear of it is that this is going to cost me a lot of money to get the education and
the skills I need and be smart enough to work in this area. And that's actually not true. There's
so much we can do with talent that doesn't have
a college degree, but has the right certifications with early professionals who are, you know,
really willing to dig in and roll up their sleeves and learn a new craft in technology.
There's a lot of potential there. So I'm super excited about what it could look like,
but we need to open up our aperture more for what we're willing to do as companies and people around the world.
Are there anything specifically at DXC that you all are doing around kind of entry-level
talent?
You mentioned some of the initiatives around neurodiversity and some other things.
But once you actually identify those pools of talent, how are you kind of giving them
that exposure and that training they need to be capable of fitting in these new roles?
Yeah.
So this is specific to DXC, but also other companies that I've been in as well.
Number one, internship programs are one of the best ways for a potential employee in a company to find out if they're a fit.
employee in the company to find out if they're a fit. And that's to find out if they're a fit from the role and the technology perspective, but also that other part, that cultural inclusion and
values part that I discussed. And taking that internship to the next level where you're giving
them a view, not just into the role that you hired them into, but also allowing them to sit with other
roles in the company to
see what options might be. Because that's what a lot of early professionals, they have no idea
what it means to be like, you say, oh, we need technical analysts. And they're like,
I'm technical. Like, what does that mean? I don't know what that is. And so, you know,
that education of what are these things. And when you say you're an engineer, an engineer means a lot of different things in a lot of
different companies.
So the more we can bring in those early professionals and give them that internship, that's number
one.
The second thing is, though, is that I believe in a build-your-own-talent philosophy, where
we bring in early professionals and put them on the projects where they're going to get
exposure to skills and leverage the talent they have, whether it be a certification or an education
that they receive, but also get that hands-on real-world experience. And I'll give you an
example. The service desk is an amazing place to start. And I know that some people are like,
I don't want to sit and listen to calls all day that are really hard. But at the same time,
you're seeing cyber issues, you're seeing cyber issues, you're seeing
network issues, you're seeing device issues, you're seeing application issues. You get a broad
spectrum of what you're trying to do, and you're being told how to solve some of those
entry-level problems. And sometimes you have to escalate it, but you get that view.
And then that gives us the ability to also see who's picking this up really
quick, who's able to help solve those problems really well and understand. And then that person
on the service desk, and this, again, it's just one example, but they go, wow, I really like those
problems that I'm solving in cyber. I want to do more, right? And so then, great, we have unlimited learning available here at DFC
with Udemy and LinkedIn Learning to help our employees. They can go take more classes then
in cyber, learn about it, and then apply for that next job. Look at that next career path,
an opportunity you might want. So build your own talent is a real key way of doing that.
That takes the employee digging in,
right? They need to be a part of it and be willing to learn. It takes the managers being able to
really watch and help nurture and coach and mentor that employee. And also for the company itself to
invest in the learning capability and the time to do it, but also to have those types of career
paths for people in the company as well. Great. Well, Christy, appreciate you taking the time to do it, but also to have those types of career paths for people in the company as well.
Great. Well, Christy, appreciate you taking the time to join us this afternoon and really appreciate it and love the discussion.
That's our own Simone Petrella speaking with DXC Technologies' Christy Grinnell. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, following a data breach that exposed the personal details of 6.9 million users,
that exposed the personal details of 6.9 million users,
23andMe updated its terms of service to prevent customers from suing the company
or joining class action lawsuits.
This change stipulates that customers
will automatically agree to the new terms
unless they explicitly disagree
within 30 days of notification.
Meanwhile, two Canadian law firms are pursuing a class action
lawsuit against 23andMe in the Supreme Court of British Columbia. A 23andMe spokesperson claims
the terms were changed not to limit court relief, but to expedite dispute resolutions, allowing
claims in small claims court and offering an opt-out option for mandatory arbitration.
Despite this, experts like Chicago-Kent College of Law professor Nancy Kim question the company's
ability to enforce these terms legally, especially since they might be attempting to shield themselves
from the breach's fallout. The breach, which impacted almost half of 23andMe's customers,
out. The breach, which impacted almost half of 23andMe's customers, included data related to users with Ashkenazi Jewish and Chinese heritage. The company only revealed the full extent of the
breach two months later. Criticism surrounds the mandatory arbitration clause in the new terms,
considered biased against customers and often hidden in fine print.
In the aftermath, 23andMe made two-factor authentication mandatory,
a step previously recommended but not enforced.
Kim labeled the lack of mandatory two-factor authentication as negligent given the sensitivity of the data involved.
We often talk here about the importance of prioritizing patching in cybersecurity.
In this case, it seems that 23andMe has prioritized patching their terms and conditions.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, Thank you. is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Iben
and Brandon Karp.
Our executive editor
is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here
tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.