My keynote address and SolarWinds panel are at next week’s Digital Investigations Conference. Plus a lot of cool vendors.
2 June 2021 – The cybersecurity world was agog last week when Microsoft announced that the Russian hackers who breached several U.S. government agencies last year (SolarWinds) “were back”, hijacking an email system used by USAID, the U.S. development agency, to target more than 150 government agencies, human rights groups and NGOs worldwide. Microsoft said the hackers, who it identified as Nobelium, were the same group responsible for manipulating software from the U.S. company SolarWinds in order to breach the U.S. Treasury and Commerce departments, as well as the Pentagon and several Fortune 500 companies. The White House said last month the group was part of the Russian Foreign Intelligence Service.
In the latest attack, Microsoft said the group had used USAID’s mass email system, called Constant Contact, to pose as the U.S. international development agency. They sent emails to more than 3,000 accounts at more than 150 government agencies, think-tanks, consultancies and non-governmental organisations. Targets who opened the emails allowed the hackers to perform “a wide range of activities from stealing data to infecting other computers on a network.”
Steve King and I had a chat over the past weekend and he made it clear “the Russians never left. This is a continuation of multiple efforts by these hackers to target government agencies involved in foreign policy as part of intelligence-gathering efforts”.
NOTE: Steve will be on my panel “Beyond SolarWinds”, along with Andy Jenkinson and Richard Stiennon, at next week’s Digital Investigations Conference. More on that after the interview.
Steve and I discussed a number of topics in preparation for our panel but here are a few snippets from our chat about the latest Microsoft revelations:
ME: So, Microsoft tells us that APT29 (aka Nobelium) is back, this time targeting government agencies and NGOs with U.S. and European diplomatic and policy missions that would be of interest to foreign intelligence services. In particular, Eastern Europe and Russia. But how?
STEVE: Well, it’s not that they are “back”. It’s that they are “still here”. They never left. And we’ll get into more detail next week during our panel on the who, what, where and how. But in this case, they jumped on ConstantContact’s mass emailing service, masquerading as a legitimate link that, when clicked, delivered a malicious image file that injects a custom Cobalt Strike Beacon implant.
ME: Aka, a backdoor?
STEVE: Yes. 3,000 email accounts at more than 150 different organizations. Aka, phishing. This one comes equipped with capabilities for persistent access, lateral movement, exfiltration, and additional malware installations. If an iOS device, a redirect dispatches an exploit for the then zero-day CVE-2021-1879. Apple has acknowledged that this issue may have been actively exploited.
ME: So the song has changed, but the tune remains the same?
STEVE: Correct. Their playbook is to gain access to trusted technology providers, and by piggybacking on software updates and mass email providers, they increase the impact of collateral damage in espionage operations and undermine trust in the technology ecosystem. It’s the last part that is important. Zero Trust in the wrong direction.
ME: I know we’ll get into Zero Trust next week but your key thoughts?
STEVE: In brief, Zero Trust design requires minimum standards for testing software code and secure cloud services. The model eliminates trust in any part of the ecosystem, including nodes or services — and mandates that there is continuous verification of operations and data flows. And it is time sensitive.
But my biggest issue right now is that the increasing complexity of cloud, multi-cloud, and hybrid network environments and the rapidly evolving nature of adversary threats has exposed the Achilles heel of traditional network cybersecurity defenses. Traditional defenses with multiple layers of disjointed security technologies are ineffective against modern threat actors. We need a better way to provide secured, unified-yet-granular access control to data, services, applications, and infrastructure. Some skeptics may not want to hear this, but with impaired visibility, risk-ignorant access decisions, and manual detection and response, we cannot prevent breaches. Zero Trust is an “assumed breach” security model that is meant to guide the integration of disparate but related capabilities into a cohesive engine for cybersecurity decision-making. But, to be fully effective, Zero Trust principles need to permeate everything. Getting there will take time and effort, as it requires rethinking and reengineering the entire computing ecosystem. And the process is incremental.
ME: Ok, let’s leave your firepower for next week.
9-10 June 2021
Sponsored by:
Next week is the virtual edition of Arina’s now-famous Digital Investigations Conference, Switzerland’s only such conference that provides a platform for computer forensic experts, vendors, partners and sponsors working in digital investigations and e-Discovery. It was created and it is sponsored by Arina, one of the dominant resellers for globally leading products in the areas of digital forensics, mobile forensics, e-discovery, cybersecurity, data duplication systems and network forensics.
DIC draws attendees from the world of academia, advisory services, corporations, government agencies, law enforcement units, law firms, and military organizations. So you are able to view common digital investigation issues, and common digital investigation problems from multiple angles. For more, please watch this video:
For the full agenda click here.
To register click here.
I am making a return appearance as the opening day keynote speaker and my address is entitled “Sometimes it seems life itself is a virus”. COVID-19, Encrochat, massive and recurring data breaches and ransomware attacks, artificial intelligence gone wild, etc., etc. The dynamics of global insecurity … digital and otherwise and all the related threats … are eerily similar to the lead-up to the pandemic. It can sound like a cacophony. And just like with the pandemic, the alarm has been ringing about digital security for decades, but we are just hitting snooze instead of waking up and dealing with the threat. I am going to unpack some of this and look at the vulnerability of networked systems and think about it in terms’s of DIC’s three main themes this year: traditional digital investigations, cloud investigations and open source intelligence.
On Day 2 I will moderate a panel “Beyond SolarWinds”. The discovery of the most sophisticated cyber intrusion ever to be mounted against a country created chills across the entire cybersecurity ecosystem. This cyber-attack is exceptionally complex and continues to evolve. We’ll discuss how SolarWinds happened, how that attack completely upended our cyber world and what it means for the future.
And my panelists are stars in the cybersecurity field: Steve King (founding Board Member at CyberEd.io and certified CISM and CISSP); Andy Jenkinson, Group CEO of The Cryptography Governance and author of the newly published “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyber Warfare”; and Richard Stiennon, renowned research analyst and advisor to IT security technology providers and CISOs and their teams, and author of the “Security Yearbook 2021”.
I have merely skimmed the surface of their backgrounds. They each bring 20+ years experience in the cybersecurity markets as CISOs, CEOs, CMOs and cybersecurity technology product and services advisors and have dissected the SolarWinds issues and Colonial Pipeline attack in fine detail.
We have a laundry list of topics to get through (probably far too many to cover in 45 minutes) which include:
– how did SolarWinds happen?
– how did the Russians know how crucial Colonial Pipeline was to the U.S. oil pipeline system?
– what is applied artificial intelligence and the dangers lurking within for all cybersecurity practitioners?
– algorithms racing through Microsoft code at the speed of 5G: can we run faster than our adversaries?
Plus you’ll meet the leading companies in the digital investigation, intelligence and e-discovery communities:
– Briefcam
– CipherTrace
– Freezingdata
– Magnet Forensics
– Nuix
– OpenText
– Oxygen Forensics
– Passware
– Reveal Data
– Rampiva
I hope you can make it.
– Just how do you modernize your cyber defenses?