Start your day with intelligence. Get The OODA Daily Pulse.

CISA usually puts out an official Shields Up! advisory on long U.S. holiday weekends (based on the historical pattern of increased cyber activities directed at the U.S. during those weekends).

Although this weekend was not a holiday weekend, based on the recent cyber incidents and strategic threat vector activity itemized in this post, we put up the Shields Up! advisory starting on Friday to highlight recent CISA CSAs and Joint CSAs regarding ransomware, DNA resolution, recent targeting of the defense industrial base and other information threat vectors (Chinese hacking activity, etc.).

Recent Cyber Incidents of Concern

DoS cyber-attack hits several airport websites in the US:  Russian-speaking hackers…reportedly hacked the websites of major airports in the US, leaving them temporarily inaccessible.  Websites at 14 airports were hit by the cyber-attack, with many of them now restored.  Airport operations were not affected by the breach. Speaking to ABC News, a senior official said that the impacted systems do not manage air traffic control, internal airline communications and coordination or transportation security. The cyber-attack, called denial of service (DoS), was designed to disrupt systems that are used by people to check flight timings and other information.  Port Authority was the first to inform the Cybersecurity and Infrastructure Security Agency about LaGuardia Airport (LGA) system breach at around 3am.

Kyiv Hit by Drone Attacks as Russia Targets Infrastructure: Kyiv Hit by Drone Attacks as Russia Targets Infrastructure – Moscow is attacking Ukraine’s energy facilities and other strategic sites as winter approaches.  Russia launched a fresh wave of Iranian-made drones to attack central Kyiv in the early hours of Monday, Ukrainian officials said, as Moscow presses a campaign targeting Ukraine’s energy infrastructure before the onset of winter.

Russia’s Attacks on Ukrainian Dam, Power Stations Signal a Tactical Shift After Losses:  Russia’s Attacks on Ukrainian Dam, Power Stations Signal a Tactical Shift After Losses – Strikes on civilian infrastructure mark a new phase in the war, with flooding and freezing winter temperatures turned into weapons.   KRYVYI RIH, Ukraine—Russian missiles had blown a hole in the dam that sits above this city, sending water rushing through and threatening to inundate tens of thousands of homes.  “It looked like Niagara Falls,” said Oleksandr Vilkul, the city’s top official.

An ‘unprecedented’ hospital system hack disrupts health-care services:   The second-largest nonprofit U.S. hospital chain is dealing with a cybersecurity incident this week that affected facilities across the country, forcing ambulance diversions, system shutdowns and patient appointment rescheduling.  CommonSpirit Health isn’t yet providing specifics about what happened. The chain says it has 140 hospitals and more than 1,000 care sites in 21 states. Facilities in Iowa, Nebraska, Tennessee and Washington were among those enduring disruptions.  One expert called the incident an extraordinary one for the United States. Cybersecurity risks in the health-care sector can mean a potential threat to lives.  “The scope is perhaps unprecedented in terms of the health-care sector,” Brett Callow, a threat analyst at the cybersecurity company Emsisoft, told me. CommonSpirit, he said, is “absolutely massive.”

https://twitter.com/GossiTheDog/status/1577548992161923072

Strategic Information Threat Vectors

Sophisticated Covert Cyberattack Campaign Targets Military Contractors:   Researchers at Securonix have detected a cyberattack campaign that is focused on cyber espionage. The campaign highlights the sophisticated nature of cyber threats agains the US, specifically defense contractors, and across the globe. The campaign has been dubbed STEEP#MAVERICK by Securonix researchers and has already hit multiple weapons contractors in Europe over the past several months. This includes a potential attack on a supplier to the US F-35 Lighting II fighter aircraft program, the security researchers say.  Securonix stated that what makes the campaign of note is that the attacker is paying very close attention to operations security to ensure that the malware is very difficult to detect. In addition, the malware is hard to remove and presents a challenge in the analyzation process. The malware is based on PowerShell and boasts an advanced range of tactics, counter-forensics, and methodology. In addition, Securonix wrote in its report that the malware contains multiple layers of obfuscation to hide its code.

U.S. Water Utilities Prime Cyberattack Target, Experts:  Last week the Center on Cyber and Technology Innovation (CCTI) and the Cyberspace Solarium Commission released new statements regarding the security of US water facilities. According to the statement, industrial controls governing water facilities and critical infrastructure are underprepared for cyberattacks. In addition, they remain a prime target for attackers who wish to harm the US critical infrastructure. Security experts claim that the potential for attack is too high to ignore due to the serious consequences it would have on US populations.

CISA: Iranian hackers spent 14 months in Albanian gov’t network before launching ransomware:   The Cybersecurity and Infrastructure Security Agency (CISA) and FBI said [in a recent alert] that hackers connected to Iran’s military spent 14 months inside the networks of the Albanian government before launching a ransomware attack that caused widespread damage in July.  The FBI did not specify which Iranian hacking group was behind the incident but explained that in their investigation, they found the hackers exploited an Internet-facing Microsoft SharePoint through CVE-2019-0604.  Cybersecurity agencies classified CVE-2019-0604 as one of the most exploited bugs throughout 2020 and has been abused by both nation-states and ransomware gangs.   According to the alert, the hackers were able to maintain continuous access to the network for more than a year, frequently stealing emails throughout 2021. By May 2022, the actors began moving laterally and examining the network, performing wider credential theft across Albanian government networks.

Recent CISA CSAs and Joint CSAs

#StopRansomware: Daixin TeamNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.  The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.  This joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.  Download the PDF version of this report: pdf, 591 KB

CISA Launches its Protective DNS Resolver with General Availability for Federal Agencies:  We are excited to announce that Protective Domain Name System (DNS), our latest shared service offering, is available to all federal civilian agencies. This service is made available through the work of CISA’s Cybersecurity Shared Services Office and, in particular, Christopher Villas, our Protective DNS Service Product Manager, and Branko Bokan, the Lead Technical Advisor. After successful testing with a limited number of agencies, we are now actively onboarding agencies into this service with modernized capabilities to detect and prevent threats in internet traffic and raise our collective cyber defense.

Protective DNS safeguards the federal enterprise through the following features:

  • Expanded Coverage. Traditional on-premises networks, cloud-based assets, as well as roaming and mobile devices are protected, regardless of their location.
  • Enhanced Threat Intelligence. Commercial threat intelligence feeds provide greater comprehensive threat detection and prevention.
  • Real-Time Alerts. The service’s application programming interface increases early response capabilities by way of rapid threat notifications.
  • Increased Visibility and Accessibility. Agencies benefit from access to threat trends and full DNS traffic logs, shining a light on common threats.
  • Zero-Trust Alignment. The latest and greatest cybersecurity principles ensure full protection, no matter how and where agency devices connect.

Protective DNS is now available to all agencies. For more information about this and other shared services, FCEB agencies may contact the CISA’s Cybersecurity Shared Services Office at [email protected]. While CISA’s legal authorities currently limit provision of Protective DNS to FCEB agencies, all other organizations should visit our Cyber Resource Hub for additional available services.

NSA, CISA, FBI Warn of Custom Exfiltration Tools Being Used Against Defense Industrial Base Organization:   The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI released a Cybersecurity Advisory that details the tactics, techniques and procedures (TTPs) that likely multiple advanced persistent threat (APT) groups recently used to steal sensitive information from a Defense Industrial Base organization. The advisory, “Impacket, Custom Exfiltration Tools Used to Steal Sensitive Information from Defense Industrial Base Organization,” provides indicators of compromise and TTPs used by the groups and shares guidance to detect and prevent related activity.  During a hunt on the organization’s network, CISA and a third-party incident response organization discovered the following malicious activity:

  • Once on the network, APT actors leveraged Impacket in their attack, a toolkit for programmatically constructing and manipulating network protocols
  • The actors used a custom exfiltration tool called CovalentStealer to steal the victim’s data
  • The actors exploited a Microsoft Exchange vulnerability on the organization’s server to gain access remotely and compromised legitimate company accounts to access the accounts of other employees

They recommend that Defense Industrial Base sector and other critical infrastructure organizations implement the mitigations in the advisory to ensure they are managing and reducing threats to their networks.
Read the full report here.    Visit the full NSA library for more cybersecurity information and technical guidance.

Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors:   This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).  NSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.  For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage, FBI’s Industry Alerts, and NSA’s Cybersecurity Advisories & Guidance.

Download the PDF version of this report: pdf, 409 K

CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool:   CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making.  For more information, CISA encourages users to review RedEye on GitHub and watch CISA’s RedEye tool overview video.

Further OODA Resources

NSA sets 2035 post-quantum cryptography deadline; Joint Advisories with CISA and FBI

OODA Loop – Part III: Dr. Tether and Dr. Porter on Cybersecurity:  This series highlights the OODAcast conversations with OODA CTO Bob Gourley, Dr. Tony Tether and Dr. Lisa Porter.  In Part III,  Bob made a point of asking both Tony and Lisa their perspective on the future of cybersecurity.

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine

https://oodaloop.com/archive/2022/03/22/the-cisa-shields-up-initiative/

Further CISA Resources

NECP Webinar: Be Prepared! Cyber Incident Response Planning for Emergency Communications:  By developing and maintaining a cyber incident response plan, as recommended in the National Emergency Communications Plan (NECP), public safety organizations can more effectively identify, mitigate, and respond to cyber risks. However, many organizations lack the funding and resources to conduct cybersecurity planning. But they don’t have to do it alone! Experts such as Statewide Interoperability Coordinators (SWIC), information technology administrators, CISA Cybersecurity Advisors (CSA), and CISA Emergency Communications Coordinators (ECC) are available to assist with planning. This webinar will detail the importance of cyber incident response planning for public safety organizations, provide actionable guidance on how to create new or update existing cyber incident response plans, and share information on resources and tools to assist in the process.

Join the webinar to learn about:

  • Leveraging NECP best practices for cyber planning
  • How cyber planning can help to protect and quickly restore emergency communications systems
  • Tools and resources designed to enhance an organization’s cybersecurity posture

Stop Ransomware | CISA

Resources | CISA

Preparing for Cyber Attacks: The CISA Online Resource Hub

CISA’s Role in Industrial Control Systems

Control System Defense: Know the Opponent:  Operational technology/industrial control system (OT/ICS) assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes continue to be an attractive target for malicious cyber actors. These cyber actors, including advanced persistent threat (APT) groups, target OT/ICS assets to achieve political gains, economic advantages, or destructive effects. Because OT/ICS systems manage physical operational processes, cyber actors’ operations could result in physical consequences, including loss of life, property damage, and disruption of National Critical Functions.  OT/ICS devices and designs are publicly available, often incorporate vulnerable information technology (IT) components, and include external connections and remote access that increase their attack surfaces. In addition, a multitude of tools are readily available to exploit IT and OT systems.

As a result of these factors, malicious cyber actors present an increasing risk to ICS networks.  Traditional approaches to securing OT/ICS do not adequately address current threats to those systems. However, owners and operators who understand cyber actors’ tactics, techniques, and procedures (TTPs) can use that knowledge when prioritizing hardening actions for OT/ICS.  This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure [1] [2], describes TTPs that malicious actors use to compromise OT/ICS assets. It also recommends mitigations that owners and operators can use to defend their systems. NSA and CISA encourage OT/ICS owners and operators to apply the recommendations in this CSA.  Download the PDF version of this report: pdf, 538.12 kb

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Strategies, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.