| Welcome to The Cybersecurity 202! I'll be on vacation the next couple weeks. Please send Aaron your best news and tips while I'm away. He'll be running the shop along with a few special guest hosts. Below: The Russian military was behind a hack of the satellite firm Viasat in the early days of the Ukraine invasion, U.S. intelligence analysts conclude, and U.K. police arrested seven people in the Lapsus$ hacking case. | DOJ to industry: Boost cyber protections or you could be the next victim |  Deputy Attorney General Lisa O. Monaco. (Manuel Balce Ceneta/AP) | | | The U.S. Justice Department released indictments against four Kremlin hackers yesterday — but the real message was for U.S. businesses. While the Russian hackers will almost certainly never see the inside of a U.S. courtroom, the indictments send yet another loud and clear signal to U.S. businesses that they'd better raise their guard against a Russian hacking threat that's as dangerous as it's ever been. "Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant," Deputy Attorney General Lisa O. Monaco warned. Monaco added that Russian government-backed hackers "pose a serious and persistent threat to critical infrastructure both in the United States and around the world." | | Deputy Attorney General Lisa O. Monaco | "Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant." | | | | | | | | Details: The two indictments focus on a global hacking campaign against energy sector companies in 135 countries between 2012 and 2018. The hacking campaign targeted numerous U.S. firms and caused an emergency shutdown at one foreign facility, Devlin Barrett reported. It's not clear how many energy firms the hackers actually compromised. | | The indictments were both filed under seal last summer and unsealed yesterday. There's no evidence of serious destruction caused by the hacks, but many of them raised the possibility of such destruction — either through the hackers' maliciousness or carelessness. | - From Devlin: One of the indicted hackers, Viktorovich Gladkikh, who worked at a Russian Ministry of Defense research institute, "allegedly conspired to hack a Saudi Arabian oil refiner's sulfur recovery systems — which, depending on the severity of the malfunction, could have caused explosions or released toxic gases," officials said.
| | The indictments are the latest salvo in a concerted U.S. government effort to keep pressure on U.S. companies to gird their cyber defenses against Russian hacks. Officials including President Biden have said they expect those hacks to target critical sectors such as energy, finance and transportation in responses to U.S. sanctions for Russia's invasion of Ukraine. Russia might also aim damaging hacks at Ukraine that leak out to computers in the United States and elsewhere as happened with the NotPetya bug in 2017. "The conduct alleged in these indictments are the kind we are concerned about" in the current environment, a Justice Department official said, per the Wall Street Journal's Dustin Volz. Officials have been hammering similar points since before the Russian invasion with near-daily updates, a slurry of cyber checkup guides and a nearly three-hour briefing for industry hosted by the Cybersecurity and Infrastructure Security agency (CISA). CISA jumped on the DOJ announcement with a guide for energy firms to protect against similar attacks from Russian hackers. CISA Director Jen Easterly: | | Experts also interpreted the indictments as a signal to industry. Chris Painter, former top cyber ambassador during the Obama administration: |  | | | | | Harvard professor and former Department of Homeland Security official Juliette Kayyem: |  | | | | | Katie Nickels, director of intelligence for Red Canary: |  | | | | | John Hultquist, vice president of intelligence analysis at the cybersecurity firm Mandiant, which has extensively tracked the hacking group: "We have never seen this actor actually carry out disruptive attack[s], just burrow into sensitive critical infrastructure for some future contingency. Our concern with recent events is that this might be the contingency we have been waiting for." | | And yet: The indictments are unlikely to alter the dangerousness or brazenness of Russian hacking operations, which have continued unabated despite numerous previous rounds of sanctions. They are, however, chock full of chilling details about Russian hacking operations. Here are some more details via Devlin: | - "In one instance, the hackers were able to breach the business network for the Wolf Creek nuclear power plant outside Burlington, Kan.," according to one indictment. That's a separate computer network from the industrial systems that run nuclear operations, but hackers have been known to jump from business systems to industrial systems in the past.
- "FSB hackers placed malware on more than 17,000 different devices [across numerous energy firms] 'to establish and maintain surreptitious, unauthorized access. … Such accesses [could have] enabled the Russian government to disrupt and damage such systems, if it wished.' "
| | The hackers in some cases relied on a particularly damaging form of malicious software called Triton. Here's a deep dive on the malware by Blake Sobczak for E&E News. | | |  | The keys | | Russian military behind Viasat hack, intelligence analysts conclude |  The hack disrupted Internet access as Russia invaded Ukraine. (Mike Blake/Reuters) | | | U.S. intelligence analysts have concluded that Russian military hackers were behind a cyberattack on a satellite broadband service that disrupted Ukraine's military communications, Ellen Nakashima reports. The U.S. government hasn't announced its conclusion publicly. The Russian military spy service, the GRU, was behind the compromise, officials said, speaking on the condition of anonymity because of the matter's sensitivity. Impact: "The recent outages, which began on Feb. 24 — the day Russia invaded Ukraine, resulted from the hack of satellite modems belonging to tens of thousands of people in Ukraine and other countries in Europe, according to an official with the U.S. firm Viasat, headquartered in Carlsbad, Calif.," Ellen writes. "Agencies affected included civilians as well as Ukraine's military and other government agencies, according to Ukrainian officials." Context: The Viasat hack marked the most significant use of cyber operations in the Russian invasion so far. Despite extensive Russian cyber capabilities, the military's use of cyber tools has been less than many analysts predicted. From Saloni Sharma, spokeswoman for the National Security Council: "We do not have an attribution to share at this time and are looking at this closely. As we have already said, we are concerned about the apparent use of cyber operations to disrupt communications systems in Ukraine and across Europe and affect businesses and individuals' access to the Internet." In other Ukraine news: | - NATO is increasing its members' intelligence sharing related to Russian cyberattacks, the alliance said. It also said it would continue to support Ukraine's cyberdefenses, Politico Europe's Laurens Cerulus reports.
- Ukraine is also publicly asking Israel for access to NSO Group's Pegasus spyware in the wake of a Washington Post report that Israeli officials blocked a license for fear of angering Russia, Axios's Barak Ravid reports.
| U.K. police investigating Lapsus$ hacking gang arrest seven people |  The group has claimed responsibility for a string of breaches, including a hack of tech giant Microsoft. (Swayne B. Hall/AP) | | | The suspects have been released while police continue to investigate, the BBC's Joe Tidy reports. The group has claimed responsibility for a string of hacks that compromised major tech companies, including Microsoft, Samsung and Nvidia. Cybersecurity researchers identified one of the group's apparent leaders after tracking the teen online. "We did it by watching the post history of an account and seeing older posts provide contact information for the guy," Unit 221B chief research officer Allison Nixon told Tidy. The hacker's mistakes in covering his tracks helped researchers, Nixon said. | CISA director apologizes for public release of call with critical infrastructure partners |  CISA Director Jen Easterly publicly apologized and pledged to "do better." (Kevin Dietsch/Getty Images) | | | CISA Director Jen Easterly posted audio from the three-hour briefing in an effort at transparency, she said. But she removed it the next day after evidently receiving complaints from industry officials who didn't know it would be released. Easterly said she appreciated "feedback" from people with concerns because she "failed to announce it." Some of those critical infrastructure partners asked blunt questions during the call. Agency officials said during the call that it was being recorded but also said it was "not intended for members of the media, and the content is not for reporting purposes." By the time Easterly apologized, the recording had gotten more than 4,700 views on YouTube. Here's more from Easterly: | | Context: CISA has historically striven to maintain a strong and cooperative relationship with industry — including keeping confidential industry reports about cyberthreats. But trust has been slower to develop with some industries, and the fracas over the audio release could make it even tougher. From a CISA spokesperson: "Given the excellent dialogue with the community and the desire to make the content as widely available as possible given today's current threat environment, we made the decision to post the call online. Given expressed concerns from stakeholders, however, we removed the Q&A portion of the call." | | |  | Cyber insecurity | | Musician Grimes says she hacked a blog to block personal photos | | Musician Claire Boucher, who goes by the moniker Grimes, said in a Vanity Fair interview that her friend helped her launch a 2012 denial-of-service attack that overwhelmed the snarky blog Hipster Runoff with traffic, Motherboard's Samantha Cole reports. Boucher was upset that the blog posted photos of her kissing another woman. The blog did indeed go mysteriously offline around that time. Launching denial-of-service attacks is a federal crime, but Boucher is "well beyond the statute of limitations," Cole reports. "We were like, we're not gonna let you put your site back up until you take the story down," the musician said in the interview. "And he did in fact take the story down, and it was like, my coolest hacker moment." | | |  | Global cyberspace | | | |  | Securing the ballot | | | |  | Government scan | | | |  | Daybook | | - The ShmooCon hacker convention convenes in Washington until Saturday.
- National Cyber Director Chris Inglis speaks at the Atlantic Council's opening of its D.C. Cyber 9/12 Strategy Challenge today at 8:30 a.m.
- CISA Executive Director Brandon Wales, U.S. Secret Service Director of Cyber Policy and Strategy Matthew Noyes and Trellix chief executive Bryan Palma speak at a Center for Strategic and International Studies event on Monday at 3 p.m.
- The House Judiciary Committee holds a hearing on oversight of the FBI's Cyber Division on Tuesday at 10 a.m.
- The House Homeland Security Committee holds a hearing on securing critical sectors from Russian cyberattacks on Wednesday at 10 a.m.
- CISA's cybersecurity advisory committee meets on Thursday at 2 p.m.
- The Center for Strategic and International Studies hosts an event on the cybersecurity implications of U.S.-China technology decoupling on Thursday at 2 p.m.
- Homeland Security Secretary Alejandro Mayorkas and Dilan Yeşilgöz-Zegerius, the Netherlands's Minister of Justice and Security, speak at an Atlantic Council event on securing marine transportation systems on April 1 at 10:30 a.m.
| | |  | Secure log off | | | Thanks for reading. See you guys on the other side. | | |
