Cyber Intelligence Weekly (November 12, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight the Veterans Day holiday this wekend as we salute the brave men and women who have served our nation. Here at Echelon we have 4 veterans who served our country proud! Chad E. LeMaire, Dahvid Schloss, Steve Snider, and Brian Goss. Thank you for your sacrifice and dedication. 🙌

Away we go!

1. SolarWinds Responds to SEC Charges With “Setting the Record Straight” Blog

In the wake of the recent SEC lawsuit against SolarWinds, the company has been vocal in its defense, emphasizing the support it has received from its customers and the broader cybersecurity community. SolarWinds has openly criticized the SEC’s actions, describing the lawsuit as legally and factually flawed, and has vowed to vigorously defend against the charges. The company argues that the SEC's complaint misrepresents the reality of their cybersecurity measures and efforts, and plans to address these misinterpretations in the legal proceedings.

SolarWinds is standing firm against the SEC’s allegations, particularly the claim that the company lacked adequate cybersecurity controls prior to the SUNBURST cyberattack. The company categorically denies these accusations, insisting that it had robust cybersecurity controls in place. SolarWinds contends that the SEC has selectively quoted documents and conversations to falsely portray the company's security posture.

Addressing specific allegations, SolarWinds clarifies that there was no VPN vulnerability that contributed to the SUNBURST attack. They argue that their VPN systems were a necessary adaptation to the pandemic's remote work requirements, and were adequately secured with controls designed to mitigate risks. Additionally, SolarWinds refutes the SEC's suggestion that they failed to adequately disclose cybersecurity risks in their regulatory filings, asserting that their disclosures were both accurate and comparable to those of leading U.S. technology companies.

SolarWinds' response is not just a defense against the SEC’s lawsuit but also a broader commentary on the potential negative impacts of such legal actions on cybersecurity practices. The company argues that the lawsuit could harm overall security by demanding public disclosure of sensitive security information, potentially aiding malicious actors. Furthermore, SolarWinds fears that this lawsuit might inhibit open internal communication among security personnel, which is crucial for identifying and addressing vulnerabilities.

SolarWinds is obviously very resolute in its stance against the SEC’s charges, asserting that their response to the SUNBURST attack was prompt, transparent, and in line with best practices. They emphasize the need for cybersecurity regulation to be informed by neutral, experienced experts, rather than through legal actions that might misinterpret and misrepresent complex security issues. The cybersecurity community's support for SolarWinds underscores the broader debate about the appropriate role of regulatory bodies in cybersecurity and the delicate balance between transparency and security, and maybe more importantly, the difficult job of predicting and mitigating cyber risk.

2. LockBit Group Successfully Hacks Largest Bank in the World, ICBC

The cybersecurity world has been rocked by the recent activities of LockBit, a notorious ransomware gang responsible for a series of high-profile cyberattacks, but almost none of their prior actions hits harder than the recent attack on the US arm of the Industrial & Commercial Bank of China (ICBC), which is the largest financial institution in the world. This attack, which impeded Treasury market trades, marks a significant escalation in the gang's operations, already known for targeting entities like the UK's Royal Mail and a British fintech firm, affecting global derivatives trading. Their operations have caused widespread disruptions, from paralyzing Japan's largest maritime port to impacting Boeing Co.'s parts and distribution business.

LockBit, active since at least 2020, operates uniquely as a "ransomware as a service" enterprise. This business model involves core LockBit hackers developing malware and other tools, which are then used by freelance cybercriminals to carry out attacks. Successful attacks result in LockBit receiving a commission, typically around 20% of any ransom paid. The group has extorted more than $100 million in ransom demands from approximately 1,000 victims globally, according to the US Justice Department. This sophisticated operation has led cybersecurity experts to liken the founder of LockBit to an infamous tech mogul, emphasizing the gang's business-like approach to cybercrime.

LockBit's strategy involves using ransomware to infiltrate systems and then demanding payment to unlock compromised computers, often threatening to leak stolen data. They have victims across the globe, including Europe, the US, China, India, Indonesia, and Ukraine. Their tools are constantly updated to evade detection, with innovations like the LockBit Black malware, which simplifies the infiltration process for less skilled hackers. Despite their global reach, LockBit claims to avoid attacking post-Soviet Union countries, reflecting the origins of its developers and partners.

The targeting of ICBC, a major Chinese bank, by LockBit is particularly surprising given China's ban on cryptocurrency trading and its perceived alliance with Russia. However, LockBit maintains an apolitical stance, claiming their focus is purely on financial gain. This incident is a stark reminder of the evolving threat landscape in cybersecurity and the urgent need for enhanced defenses against such sophisticated ransomware attacks against our most critical infrastructure.

3. When Cyber Warfare Meets Missile Strikes: Sandworm's Attack on Ukraine

In a disturbing blend of digital and physical warfare, Russia's infamous Sandworm hackers have once again targeted Ukraine's power grid, causing a blackout that coincided with a missile strike on Ukrainian cities. This marks the third successful attack by Sandworm, a unit of Russia's GRU military intelligence agency, on Ukraine's power infrastructure. Notably, Sandworm is the only group known to have caused blackouts through cyberattacks, previously leaving hundreds of thousands of Ukrainian civilians without power. Their latest cyberattack, executed amidst Russia's full-scale war in Ukraine, targeted an electric utility in October, causing a blackout of undetermined magnitude and duration. This cyberattack was synchronized with a series of missile strikes across Ukraine, including the city housing the targeted utility, representing an unprecedented integration of cyber and conventional warfare.

Cybersecurity firm Mandiant, which has been assisting the Ukrainian government since the beginning of the Russian invasion in 2022, reported that Sandworm initiated this attack by gaining access to the industrial control system software of the utility's electrical substations. Interestingly, they waited to launch the cyberattack until the day of the missile strikes, suggesting a coordinated effort to maximize chaos and psychological impact on civilians. Two days post-blackout, the hackers deployed a "wiper" malware, aiming to erase evidence from the utility's computers.

Mandiant's investigation reveals an evolution in Sandworm's tactics. Unlike their previous attacks, which used custom malware like Crash Override or Industroyer, this time, they adopted a "living off the land" strategy. This involved exploiting existing tools on the network for stealthier and quicker operations. They managed to access the control systems within three months and developed their blackout technique within two months, indicating increased agility and adaptability in their operations.

Despite the sophistication of Sandworm's attacks, both Mandiant and the Ukrainian cybersecurity agency SSSCIP commend the resilience of Ukraine's digital defenses. They highlight the numerous failed Russian cyberattacks on Ukrainian infrastructure, underscoring the effectiveness of Ukraine's cyber resilience.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about