Cyber Intelligence Weekly

Cyber Intelligence Weekly (August 13, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Before we get started on this week’s CIW, I’d like to highlight an exciting new Echelon webinar series - "Chew on This: Meaty Discussions on the Convergence of Security + Business." In these monthly lunchtime sessions, we'll serve up 30-minute, information-packed discussions covering essential topics at the intersection of cybersecurity and business. No tech deep-dives, no yawn-fests - just high-energy, high-value conversations aimed at helping organizations drive a more secure business.

🍽️ First Course: Communication – How to Build a Bridge Between Security and the Business

📅 Date: 16th August 2023

🕒 Time: 12:00 PM EST

🎤 Panelists: Matt Donato (Moderator), Paul Interval, Jeff Hoge

In our inaugural event, we will delve into the critical issue of communication between security and business. How can businesses effectively communicate their security and risk programs to the board and other key stakeholders? Should security and risk leaders have a seat at the business table? When and how should they communicate with the board?

How to Build a Bridge Between Security and the Business

Away we go!

1. NPO Mash Breach, North Korea's Growing Cyber Threat Targets Missile Maker

SentinelLabs recently identified a security breach within the Russian defense industrial base, specifically targeting NPO Mashinostroyeniya, a missile engineering organization. Investigations have unveiled two instances where North Korea-linked groups compromised sensitive IT infrastructure within this Russian entity, including an email server, using a Windows backdoor named OpenCarrot. The email server compromise is attributed to the ScarCruft threat actor, while another intrusion involved a Lazarus Group backdoor. The precise relationship between these two North Korean threat actors remains uncertain, but they may have collaborated or acted separately.

NPO Mashinostroyeniya, or NPO Mash, is a top Russian manufacturer of missiles and military spacecraft, which holds confidential information on missile technology currently in use and in development by the Russian military. SentinelLabs' investigations originated from a leaked email collection containing an implant associated with North Korean cyber campaigns. While a substantial portion of these emails was unrelated to the intrusion under review, they still provided context on the organization's internal network and its vulnerabilities. Internal emails from NPO Mashinostroyeniya revealed that their IT staff had flagged this cyber intrusion a week before Russia vetoed a U.N. resolution imposing new sanctions on North Korea.

NPO Mash Breach, North Korea's Growing Cyber Threat Targets Missile Maker

The suspicious file identified appeared to be a version of “OpenCarrot”, identified as a Lazarus Group Windows backdoor tool. This tool allows full control over infected machines and potentially entire networks. Furthermore, a compromised business email server was found to be signaling an entity tied to the ScarCruft threat actor, another group associated with North Korea. The intrusion underscores North Korea's aggressive cyber espionage campaigns and sheds light on the dynamics between different North Korean cyber groups. The event also hints at a potential strain in Russia-North Korea relations despite their growing ties. This case exemplifies the potential collaboration or coexistence of different North Korean cyber entities, possibly based on the strategic importance of the target.

With strong certainty based on the details noted above, SentinelLabs attributes these security events to North Korean-affiliated threat actors. The event exemplifies North Korea's strategic efforts to clandestinely bolster its missile development goals by directly compromising an entity within the Russian Defense-Industrial Base. The merging of North Korean cyber groups poses a significant threat, underscoring the need for global surveillance and a robust strategic response.

2. Electoral Commission Hack: Data of 40 Million UK Voters Compromised

The Electoral Commission, the United Kingdom's authoritative body overseeing electoral processes, recently acknowledged a severe breach, exposing the personal data of approximately 40 million voters. They revealed that a "complex cyberattack" had left their systems vulnerable for over a year. The Commission also confirmed that hostile entities had first infiltrated their databases in August 2021, not detecting suspicious activities until October 2022.

According to reports, the Commission is focused on the importance of eliminating the threat from their systems, understanding the breach's full scope, liaising with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO), and fortifying their cybersecurity mechanisms going forward. Post-breach measures implemented by the Electoral Commission have involved enhancements like stringent login requirements, escalated threat surveillance, and updated firewall protocols.

While the compromised data incorporates voters' comprehensive details, from full names to email correspondences, the Commission is currently uncertain if this information was exported by the attackers. However, they've emphasized that the security integrity of U.K. elections remains unaffected, attributing it to the dispersed nature of the democratic process and reliance on paper-based systems.

Despite the severity of the breach, the identity of the perpetrators remains shrouded in mystery, with both the Electoral Commission and the NCSC refraining from speculating on the culprits' identities. The delay in the public disclosure of this security lapse, spanning nine months, remains a contentious issue, with the ICO confirming their awareness but declining to elucidate on the reasons behind the postponement.

3. Deep Learning Model Can Decode Keyboard Keystrokes Through Sound

Researchers from British universities have developed a deep learning model with a startling capability: it can decode keystrokes recorded via a microphone with a 95% accuracy rate. When Zoom was the medium for recording, the prediction accuracy slightly decreased to 93%. This innovation has severe implications for data security. Unlike other side-channel attacks, which might have distance limitations or require specific conditions, acoustic attacks leverage the omnipresent microphone-enabled devices, which can capture high-quality audio. With advancements in machine learning, these sound-based attacks are not just feasible but alarmingly effective.

Deep Learning Model Can Decode Keyboard Keystrokes Through Sound

The methodology is straightforward: first, keystrokes on a target's keyboard are recorded, either through a nearby microphone, an infected smartphone, or even via a Zoom call. The researchers collected data from a MacBook Pro, recording the distinct sounds of each key. These sounds were then transformed into visual waveforms and spectrograms, which showcased identifiable differences for every key. These visuals were used to train 'CoAtNet', an image classifier. The highest accuracy levels were achieved using the same laptop model, an iPhone 13 mini placed near the target, and Zoom recordings. Skype, while effective, was slightly less accurate at 91.7%.

For those concerned about this kind of breach, there are some mitigation techniques. Altering typing styles, utilizing randomized passwords, or using software to mimic keystroke sounds are some methods. White noise or keystroke audio filters can further mask key sounds. However, even silent keyboards can't escape this model's accuracy. As a proactive measure, integrating biometric authentication and using password managers can help circumvent manual data entry, thus reducing vulnerability.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.