As we slide into the end of summer weekend in the U.S., we take a “bird’s eye” view of the high-threat level created by the 2024 U.S. Presidential Election.  In this post: a situational awareness and threat vector survey of information warfare, social engineering, and ransomware incidents and activities worldwide as of Friday, August 30, 2024 – including a very recent joint Cybersecurity advisory from the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS) and context on the recent arrest of the Telegram CEO.  

Ransomware

CISA and Partners Release Advisory on RansomHub Ransomware

CISA—in partnership with the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS)—released a joint Cybersecurity Advisory, #StopRansomware: RansomHub Ransomware. This advisory provides network defenders with indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with RansomHub activity identified through FBI investigations and third-party reporting as recently as August 2024.

RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—which has recently attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV.

For a full pdf version of the joint advisory, go to this link.

More on the global ransomware epidemic:

• Ransomware gangs rake in more than $450 million in first half of 2024
• Iran-backed hackers partner with ransomware gangs, CISA advisory warns:  Iran state-sponsored hackers collaborated with ransomware gangs to breach and extort U.S.-based organizations, a Cybersecurity and Infrastructure Security Agency (CISA) advisory revealed Wednesday.
• CISA expects upcoming industry rules to show ‘scope and scale’ of ransomware problem:…Cybersecurity and Infrastructure Security Agency Director Jen Easterly expressed hope…that the upcoming incident reporting rules for critical infrastructure would finally provide some certainty about whether government efforts were making a dent in the pernicious ransomware problem.At the DEFCON cybersecurity conference…Easterly said that powers created under the Cyber Incident Reporting for Critical Infrastructure Act — which CISA officials refer to by its acronym CIRCIA — will give the agency invaluable data on ransomware trends that they have long begged for.
• SC Media | Ransomware recap: Top threat actors, exploited vulnerabilities in H1 2024
• Cybersecurity Dive | Some companies pay ransomware attackers multiple times, survey finds
• M&A activity can amplify ransomware insurance losses, research finds

Cognitive Infrastructure

Human Targeting/Social Engineering/Cyber Espionage

• CISA: Most cyberattacks on gov’ts, critical infrastructure involve valid credentials:  More than half of all cyberattacks on government agencies, critical infrastructure organizations and state-level government bodies involved the use of valid accounts, according to a new report from the Cybersecurity and Infrastructure Security Agency (CISA).
• James Reddick at The Record from Recorded Future News recently reported on the arrest of Five Chinese nationals..by the feds for ‘massive’ elder fraud scheme.
• On the Russian information warfare front: WSJ reports that Microsoft Says Russian-Sponsored Hackers are Still Using Stolen Information, and The Record reports that media, activists, former US diplomat were on Russia-aligned phishing campaigns’ hit lists:  “Researchers are tracking two Russia-aligned phishing campaigns that targeted human rights organizations, independent media and civil society members from Eastern Europe and the U.S.”
• Humans remain the key cloud security weak point:   The latest Top Threats to Cloud Computing 2024 report by the Cloud Security Alliance highlighted that people still play a significant role in cloud security vulnerabilities, Security Boulevard reports.  The report identified misconfiguration and inadequate change control as the leading cloud security threats followed by identity and access management issues, insecure interfaces and APIs, and poor execution of cloud security strategies — all weaknesses that are influenced heavily by human actions. Other human-related concerns include insecure software development and accidental data exposure.
• U.S. Voter Confidence is Down. Here’s How to Restore It: Eight years ago, a World Justice Project poll found that an overwhelming majority of Americans–91%–believed they could vote freely without being harassed or pressured. After the 2020 election, only 58% of people still agreed. Will 2024 be different?
• Pew Research Center | Many Americans are confident the 2024 election will be conducted fairly, but wide partisan differences remain: Americans are generally confident that this fall’s presidential election will be conducted fairly and accurately.  Yet Republicans and those who lean toward the GOP are far less confident of this than Democrats and Democratic leaners, according to a Pew Research Center survey conducted July 1-7, 2024.  Overall, 61% of Americans say they are very or somewhat confident the election will be conducted fairly and accurately. These views have changed little since 2022 and 2020.
• Google says Russian group targeted Mongolian government with exploits used by NSO Group:  Google security researchers said they uncovered an espionage campaign against websites run by the Mongolian government, attributing the operation to Russia-backed hackers using exploits previously deployed by commercial surveillance vendors Intellexa and NSO Group.  A Google spokesperson told Recorded Future News that the campaign stood out because it was the first time the researchers saw alleged members of the Russian group tracked as APT29 using the same exploits as those sold by commercial surveillance vendors.  “We do not know how they were acquired and if Intellexa or NSO knowingly sold them to the Russian government,” they added.
• Arrest of Telegram CEO sparks cyberattacks against French websites:  The arrest of Telegram CEO Pavel Durov in France over the weekend sparked a series of cyberattacks against French websites by hacktivists protesting Durov’s detention.  French authorities said Durov’s arrest was related to Telegram’s lack of moderation and failure to cooperate with law enforcement agencies, which they said enabled crimes such as drug trafficking, distribution of child sexual abuse material and fraud, the BBC reported.

Information Warfare

The Record | Telegram CEO’s arrest sparks flurry of questions over motivation, privacy impact

When Eva Galperin heard that Pavel Durov, the founder of the popular messaging service Telegram, was arrested in Paris over the weekend, she quickly got in touch with French privacy and legal experts. Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a prominent digital freedoms advocate said her immediate fear was that the French government was trying to crack down on how Telegram treats end-to-end encryption. Why it matters:

1. Questioning the motives behind the arrest: Much debate has been sparked about the real reasons behind the arrest of Pavel Durov, founder of Telegram. Reports suggest that the arrest links to issues with data encryption methods used by the app, potentially indicating a broader crackdown on digital encryption. However, further information suggests that the charges may only relate to standard statutory paperwork issues. The reasons for the arrest thus remain obscure and disputed.
2. Implications for moderation strategies and free speech: The arrest has ignited a debate about the responsibility of platform CEOs in content moderation. While some believe that a lax approach might foster illegal activities on the app, others argue that stricter moderation infringes on the right to free speech. The unclear situation has put digital freedom advocates in a difficult situation as they navigate between supporting civil liberties and ensuring the safety of online spaces.
3. Possible impact on future government intervention and civil liberties: The incident brings attention to potential heavy-handed approaches by governments, which could use the arrest as a catalyst for punitive action against digital platforms, thereby threatening civil liberties and privacy rights. As such cases propel governments to assert more control over digital platforms, the arrest raises crucial questions about how these platforms and their users’ rights should be protected.

Mis-, Dis- information, Information Disorder

• In June, Clint Watts – General Manager, Microsoft Threat Analysis Center provided a case study of how “Russia [was] ramping up malign disinformation campaigns against France, French President Emmanuel Macron, the International Olympic Committee (IOC), and this summer’s Olympic Games in Paris. While Russia has a decades-long history of targeting the Olympic Games, the Microsoft Threat Analysis Center (MTAC) has observed old tactics blending with artificial intelligence (AI) in malign activity that may intensify as the 2024 Paris Opening Ceremony approaches. These operations have two principal aims: 1) Denigrate the reputation of the IOC; and 2) Create the expectation of violence breaking out in Paris at the Games.  Several prolific Russian influence actors, which Microsoft tracks as Storm-1679 and Storm-1099, have pivoted their operations since June 2023 to focus on the Olympics.”  These insights are detailed in a special Microsoft Threat Intelligence report published today: “Russian Influence Efforts Converge on 2024 Paris Olympic Games.”
• In July, FBI cyber-cops zapped ~1K Russian AI disinfo Twitter bots.
• The WP reports that Iran’s PressTV and Russian outlets paid U.S. contributors who also run Grayzone,  “Experts say an overlap in funding underscores concern that the spread of falsehoods and propaganda online is entering a more complicated stage as the November election draws closer.  A top editor at an online news site aimed at Americans who has worked extensively for Russia’s Sputnik also has taken money from Iranian government-owned media, according to newly unearthed documents — a sign of how widening geopolitical alliances are making it harder to identify and trace foreign influence operations.

IT Supply Chain Disruption

• Recently, Over 100 Ukrainian computers were infected with backdoor malware, researchers say
• The Record’s Reddick also recently reported that “two members of Congress are calling on the Commerce Department to investigate the cybersecurity risks posed by Wi-Fi routers from Chinese company TP-Link Technologies
• CISA Voluntary Cyber Incident Reporting:  About this Resource—This page is designed to help entities that may be considering voluntarily reporting cyber incidents understand “who” CISA recommends reporting an incident, “why and when” CISA recommends they report, and “what and how to report.”
• UK semi industry supply chain risk still high: Report • The Register
• The Crowdstrike Incident – OODA Loop Update #4:  In the spirit of the significance of tracking the global impact of disruptive events and encouraging the sharing of relevant stories for compilation, the following is our latest  tracking of the Crowdstrike Incident since our last update on 7/22 – The Crowdstrike/Microsoft Global IT Outage Debacle: Ongoing Impacts and Recent Updates and the July 2024 OODA Network Monthly Meeting: A Real-time Discussion of the Crowdstrike Global IT Outage.

Global Election Security and Integrity

• Google recently reported that Iranian hackers are targeting affiliates of both US presidential campaigns; while Meta warns of troll networks from Russia, Iran ahead of US elections.
• Microsoft has also warned that Iranian hackers are ramping up US election interference
• 100 days out from the U.S. Election, ODNI has released an Election Security Update as of late July 2024:  For the pdf version of the ODNI advisory, go to this link. Nextgov.com reported that ” Malicious actors are leveraging online platforms and social media to plant inauthentic narratives, intelligence community officials said on a…press call ahead of the advisory’s release. Officials said that these malicious actors are purchasing the services of legitimate marketing and communications firms to help unwittingly push their narratives.”
• CISA Director Easterly on “Democracy’s Biggest Year: The Fight for Secure Elections Around the World”:  CISA Director Jen Easterly participated in a keynote session at Black Hat USA 2024, along with international election experts Hans de Vries, COO, European Union Agency for Cybersecurity (ENISA), and Felicity Oswald, CEO, National Cyber Security Centre (NCSC) to “unpack how international leaders are approaching election security risks to the democratic processes.”   Along with coverage of this keynote panel, we have compiled Director Easterly’s recent communications on the 2024 security threats and security and integrity strategies taken up by CISA and the USG in the run-up to the November 2024 Election in the U.S.
• DDoS Attacks: Could Hinder Access to Election Information, Would Not Prevent Voting – Alert Number: I-073124-PSA, July 31, 2024: “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness that Distributed Denial of Service (DDoS) attacks on election infrastructure, or adjacent infrastructure that support election operations, could hinder public access to election information but would not impact the security or integrity of election processes.”
• A ray of light, as “The UK’s deputy prime minister, Oliver Dowden, says that China has been unsuccessful in its attempts to undermine UK elections.
• Mandiant released a report on “Russia and Iran posing the biggest threat to the 2024 elections”:

The different election attack types and the threat they present (courtesy of Mandiant)

The different nations and the groups that further their causes (image courtesy Mandiant)

Additional OODA Loop Resources

For our News Briefs and Original Analysis research efforts to date on this topic, go to:

• OODA Loop | Elections
• OODA Loop | CISA
• OODA Loop | Volt Typhoon
• OODA Loop | APT
• OODA Loop | Secure by Design

https://oodaloop.com/archive/2024/08/27/leaving-our-nation-vulnerable-to-cyber-invasion-volt-typhoons-recent-zero-day-attack-on-u-s-internet-providers/

Microsoft, CISA, NSA, FBI, and the Five Eyes on the PRC’s Advanced Persistent Threat: Volt Typhoon:  OODA Loop Contributor Emilio Iasiello provided the initial coverage of a “cluster of activity” linked to China, targeting networks across U.S. critical infrastructures and Guam:  Chinese Cyber Activities Against Critical Infrastructure Raises the Stakes in U.S.-China Relations.   As is always the case with Emilio’s weekly contribution here at OODA Loop, it is worth a read.  The advisory referenced by Emilio –  entitled People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection – dovetails with our analysis in April of the State Department turning its strategic focus towards cyber-threat vectors in Guam, Albania, and Costa Rica.

Chinese Cyber Activities Against Critical Infrastructure Raises the Stakes in U.S.-China Relations:  On May 24, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), as well as the Five Eyes, issued advisories on a “cluster of activity” linked to China that has been targeting networks across U.S. critical infrastructures and Guam.  Dubbed VOLT TYPHOON, the activity has been occurring since at least 2021 according to Microsoft, who appears to have been on the forefront of reporting this activity to the U.S. government, and per its May 24 release, and has since notified private sector organizations of the threat.  Activity exhibited during the campaign indicated that the actors focused on sustained cyber espionage as opposed to more disruptive attacks, and targeted organizations in the communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors.  Once gaining initial access, these actors stole credentials in order to try to gain entry into other systems.

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has caused regional issues that affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic’s reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: Numerous disruptions complicate situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its data collection methods, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the IT department’s or the CISO’s responsibility – it’s a collective effort involving the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront unpredictable external threats. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. Regardless of their size, all organizations should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning