Microsoft says Russian APT28 group carried out multiple
cyberattacks on democratic institutions in Europe between September and December 2018.
Microsoft revealed that hackers belonging to the cyber espionage group APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) launched several attacks on democratic institutions in Europe between September and December 2018.
The tech giant revealed that 104 accounts belonging to organization employees in Belgium, France, Germany, Poland, Romania, and Serbia, were hit by Russian cyber spied cyber-espionage group APT28.
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
According to a report published by Symantec in October, the group was actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.
Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.
According to Microsoft, APT28 hackers the attacks were extended
to think tanks and non-profit organizations working on topics related to democracy, electoral integrity, and public policy. All the victims of the Russian state-sponsored hackers are in contact with government officials.
“Microsoft has recently detected attacks targeting employees of the German Council on Foreign Relations, The Aspen Institutes in Europe and The German Marshall Fund.” reads the post published by Microsoft.
“MSTIC continues to investigate the sources of these attacks, but we are confident that many of them originated from a group we call Strontium. The attacks occurred between September and December 2018.”
The list of the victims for the recent attacks
Hackers are launching spear-phishing attacks in the attempt of stealing employee credentials and deliver malware. Phishing emails use malicious URLs and spoofed email addresses that look legitimate.
Microsoft’s report doesn’t surprise, in August 2018 the company spotted a hacking campaign targeting 2018 midterm elections, also in that case experts attributed the attacks to Russia-linked APT28 group.
“Consistent with campaigns against similar U
“The attacks we’ve seen recently, coupled with others we discussed last year, suggest an ongoing effort to target democratic organizations. They validate the warnings from European leaders about the threat level we should expect to see in Europe this year.”
Microsoft notified each of these organizations that were hit by the hackers and announced a variety of technical measures to protect its customers from these attacks.
(SecurityAffairs – APT28 group, cyberespionage)
The post Microsoft says Russian APT28 espionage group hit Democratic Institutions in Europe appeared first on Security Affairs.
Security researchers at Check Point have uncovered a cyber espionage campaign conducted by Lazarus APT group aimed at Russian targets.
Security experts at Check Point have uncovered a cyber espionage campaign carried out by Lazarus aimed at Russian targets,
If the attribution is correct, this is the first time that North Korean cyber spies were targeting Russian entities.
“For the first
The experts believe the attacks were carried out by the Bluenoroff threat actor, a division of the dreaded Lazarus APT group, that was financially motivated.
Bluenoroffis one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions and trading companies in Bangladesh in 2014 and the now famous $81million Cyber-Heist of the Bangladesh central
The final payload used in this campaign is the KEYMARBLE backdoor that is downloaded from a compromised server in the form of a CAB file disguised as a JPEG image. (http://37.238.135[.]70/img/anan.jpg).
The compromised server used by threat actors is an unconvincing website for the “Information Department” of the “South Oil Company”. The server is hosted by EarthLink Ltd. Communications&Internet Services and located in Iraq
The infection chain used in this campaign comprises three primary steps:
- The first is an attached ZIP file containing a benign decoy PDF and a weaponized Word document containing malicious macros. One of the decoy documents observed in this campaign contains an NDA for StarForce Technologies, a Russia-based firm that provides copy-protection solutions.
- The macros in the Word document download a VBS script from a
DroboxURL and execute a VBS script.
- The VBS
scripdownloads and execute a CAB file from a compromised server, extracts the payload and executes it.
At some point during the campaign, the attackers changed tactic and started to skip the second stage using Word macros that downloads and executes the backdoor directly.
Why should North Korea spy on Russian entities?
It is difficult to say, considering the good relationship between the two countries, anyway, we cannot exclude that a third-party actor user false flags to disguise itself.
The post North Korea’s Lazarus APT targets Russian Entities appeared first on Security Affairs.
Russia plans to disconnect the country from the internet as part of an experiment aimed
at testing the response to cyber attacks that should isolate it.
Russia plans to conduct the country from the Internet for a limited period of time to conduct a test aimed at assessing the security of its infrastructure. Russian citizens will be able to reach only Internet resources within the national territory, any other only resource hosted outside the country will be not reachable.
The news was reported by the Russian news agency RosBiznesKonsalting (RBK), the experiment could be conducted before April 1st.
According to the “The National Digital Economy Program” bill submitted to Parliament in 2018, Russian Internet service providers (ISPs) should ensure operations even if nation-state actors carry out cyber attacks to isolate Russia from the Internet. The authorities want to ensure that the access to Russian Internet resources will be maintained also under attack, to do this, Russian experts are thinking a sort of DNS managed by Moscow.
Currently, among the 12 organizations that oversee DNS base servers worldwide where isn’t an entity in Russia.
ISPs should be able to route traffic through nodes under the control of the Russian Government to allow the connections between Russians entities.
Of course, the concentration of the traffic through nodes controlled by Moscow could open the door to a massive surveillance
“In addition, Russian telecom firms would also have to install “technical means” to re-route all Russian internet traffic to exchange points approved or managed by Roskomnazor, Russia’s telecom watchdog.” reported ZDNet.
“Roskomnazor will inspect the traffic to block prohibited content and make sure traffic between Russian users stays inside the country, and is not re-routed uselessly through servers abroad, where it could be intercepted.”
The experiment has been agreed in a session of the Information Security Working Group at the end of January. The Group includes InfoWatch, MegaFon, Beeline, MTS, RosTelecom, and other major companies in the country.
All internet providers agreed with the law’s goals, but the technical implementation raises many concerns bacause experts believe it could cause major disruptions to Russian internet traffic. Anyway the goal of the project
“Natalya Kaspersky [President InfoWatch company] confirmed to RBC that at the meeting of the working group, a bill was discussed on the sustainability of the Runet for external shutdown.” reported RBK agency,
“All participants in the discussion agree that he has good goals, but the mechanisms for its implementation raise many questions and disputes. Moreover, the methods of its implementation have not yet been precisely defined. Therefore, they came to the conclusion that market participants need to organize exercises or something similar in order to understand how this can all be implemented in practice” said Kaspersky.
According to Finanz.ru, local internet services Mail.ru and Yandex.ru were also supportive of the test.
The post Russia is going to disconnect from the internet as part of a planned test appeared first on Security Affairs.
The Russian government accompanied with major internet providers has planned to briefly disconnect the entire country from the global internet. This test will completely isolate the Russian internet aka Runet from the rest of the world.
The primary reason behind this internet shutdown is to test the security of Russian data. So here’s everything you need to know about the internet shutdown test in Russia.
Russia Plans To Disconnect From The Global Internet
For a limited period of time, the Russian government will completely disconnect Russia from the global internet. The Internet shutdown test in Russia will impact private citizens, power grids and even the military systems.
According to some reliable sources, the test will last for about 30 minutes and it will be conducted before 1st April. Every major Russian ISP will redirect all network traffic to nodes that are controlled by the Russian government.
This test will include the creation of an alternative domain name system (DNS) to protect the Russian-language section of the internet if in case it is disconnected from the World Wide Web.
The test will also help the Russian Government to gather insight and provide additional feedback and modifications to proposed laws.
Russian Internet Shutdown Test: Benefits
The Internet shutdown test will help the Russian government to monitor and completely abandon the websites containing banned information. In addition to that, the test will allow centralized control to all of the national internet traffic and also minimize the transfer of data to foreign servers.
Well, the Russian government carried out a drill back in mid-2014 to gather people’s response on the internet being disconnected from the web. The test will probably cost around 23 billion rubles or roughly $350 million.
Do share your thoughts and opinions on the internet shutdown test in Russia in the comments section below.
The post Russia Plans To Disconnect From The Global Internet appeared first on TechWorm.
To test the security of its data, Russia is considering disconnecting its Internet service for a short period of time. The test will affect all the data sent by Russian citizens or organizations as Internet access would be limited only within the national territory, meaning that they will not be routed internationally. The test has […]
This is a post from HackRead.com Read the original post: Russian to shut down Internet to test its cyber deterrence
Crude oil swung lower on Tuesday, extending an early-week slump that has raised alarm over the trajectory of energy markets in 2019 and beyond. Investors and consumers can expect volatility to be the new norm in a tri-polar world where the United States, Russia and Saudi Arabia are all vying for influence. Market Update Oil […]
A Russian cyber criminal going by the name of "C0rpz" is believed to be the source of a massive trove of over one billion online credentials known as "Collection 1," the firm Recorded Future reports.
The post Russian Cyber Criminal Named as Source of Massive Collection 1 Data Dump appeared first on The Security Ledger.
LinkedIn Wednesday blamed an issue with its job ingestion tool–not Russian hackers or an online scam–as the reason the business social network was erroneously posting jobs located in Russia for a number of U.S.-based companies. The custom software tool that pulls in jobs from third-party websites onto LinkedIn’s site failed to...
Misinformation is a powerful tool. As we enter 2019 we invite on a fascinating guest, Clint Watts, who has spend his career learning all about how to use it and how it is used. – Jan 14, 2019
|Contents Download Get Involved|
Got a great idea for an upcoming podcast? Send us a quick message on the contact form!
Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music
And check out a schedule for all our training at Social-Engineer.Com
Check out the Innocent Lives Foundation to help unmask online child predators.
The post Ep. 113 – Nutrition Facts for Online Information with Clint Watts appeared first on Security Through Education.
Bogus LinkedIn job postings for leading US organizations, including the US Army, the State of Florida and defense contractor General Dynamics, are popping up for Russian locales like St. Petersburg and Moscow, the firm Evolver has found. Is it AI-Gone-Wild, or is something more nefarious afoot? Moscow, on the border between Idaho and Washington...
In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems (ICS) at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute.
TRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute
FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post. We present as much public information as possible to support this assessment, but withheld sensitive information that further contributes to our high confidence assessment.
- FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion.
- Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
- An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
- Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
- We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.
While we cannot rule out the possibility that one or more CNIIHM employees could have conducted TEMP.Veles activity without their employer’s approval, the details shared in this post demonstrate that this explanation is less plausible than TEMP.Veles operating with the support of the institute.
Malware Testing Activity Suggests Links between TEMP.Veles and CNIIHM
During our investigation of TEMP.Veles activity, we found multiple unique tools that the group deployed in the target environment. Some of these same tools, identified by hash, were evaluated in a malware testing environment by a single user.
Malware Testing Environment Tied to TEMP.Veles
We identified a malware testing environment that we assess with high confidence was used to refine some TEMP.Veles tools.
- At times, the use of this
malware testing environment correlates to in-network activities of
TEMP.Veles, demonstrating direct operational support for intrusion
- Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network. The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment.
- TEMP.Veles’ lateral movement activities used a publicly-available PowerShell-based tool, WMImplant. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection. Soon after, the customized utility was again evaluated in the malware testing environment. The following day, TEMP.Veles again tried the utility on a compromised system.
- The user has been active in the malware testing environment since at least 2013, testing customized versions of multiple open-source frameworks, including Metasploit, Cobalt Strike, PowerSploit, and other projects. The user’s development patterns appear to pay particular attention to AV evasion and alternative code execution techniques.
- Custom payloads
utilized by TEMP.Veles in investigations conducted by Mandiant are
typically weaponized versions of legitimate open-source software,
retrofitted with code used for command and control.
Testing, Malware Artifacts, and Malicious Activity Suggests Tie to CNIIHM
Multiple factors suggest that this activity is Russian in origin and associated with CNIIHM.
- A PDB path contained in a
tested file contained a string that appears to be a unique handle or
user name. This moniker is linked to a Russia-based person active in
Russian information security communities since at least 2011.
- The handle has been credited with vulnerability research contributions to the Russian version of Hacker Magazine (хакер).
- According to a now-defunct social media profile, the same individual was a professor at CNIIHM, which is located near Nagatinskaya Street in the Nagatino-Sadovniki district of Moscow.
- Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile.
- Suspected TEMP.Veles incidents include malicious
activity originating from 126.96.36.199, which is registered to
- This IP address has been used to monitor open-source coverage of TRITON, heightening the probability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities.
- It also has engaged in network reconnaissance against targets of interest to TEMP.Veles.
- The IP address has been tied to additional malicious activity in support of the TRITON intrusion.
- Multiple files have Cyrillic names and artifacts.
Figure 1: Heatmap of TRITON attacker operating hours, represented in UTC time
Behavior Patterns Consistent with Moscow Time Zone
Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow, lending some further support to the scenario that CNIIHM, a Russian research organization in Moscow, has been involved in TEMP.Veles activity.
- We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target’s network. These file creation times conform to a work schedule typical of an actor operating within a UTC+3 time zone (Figure 1) supporting a proximity to Moscow.
Figure 2: Modified service config
- Additional language
artifacts recovered from TEMP.Veles toolsets are also consistent
with such a regional nexus.
- A ZIP archive recovered during our investigations, schtasks.zip, contained an installer and uninstaller of CATRUNNER that includes two versions of an XML scheduled task definitions for a masquerading service ‘ProgramDataUpdater.’
- The malicious installation version has a task name and description in English, and the clean uninstall version has a task name and description in Cyrillic. The timeline of modification dates within the ZIP also suggest the actor changed the Russian version to English in sequential order, heightening the possibility of a deliberate effort to mask its origins (Figure 2).
Figure 3: Central Research Institute of Chemistry and Mechanics (CNIIHM) (Google Maps)
CNIIHM Likely Possesses Necessary Institutional Knowledge and Personnel to Create TRITON and Support TEMP.Veles Operations
While we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool. We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information.
- CNIIHM has at least two
research divisions that are experienced in critical infrastructure,
enterprise safety, and the development of weapons/military
- The Center for Applied Research creates means and methods for protecting critical infrastructure from destructive information and technological impacts.
- The Center for Experimental Mechanical Engineering develops weapons as well as military and special equipment. It also researches methods for enabling enterprise safety in emergency situations.
- CNIIHM officially collaborates
with other national technology and development organizations,
- The Moscow Institute of Physics and Technology (PsyTech), which specializes in applied physics, computing science, chemistry, and biology.
- The Association of State Scientific Centers “Nauka,” which coordinates 43 Scientific Centers of the Russian Federation (SSC RF). Some of its main areas of interest include nuclear physics, computer science and instrumentation, robotics and engineering, and electrical engineering, among others.
- The Federal Service for Technical and Export Control (FTEC) which is responsible for export control, intellectual property, and protecting confidential information.
- The Russian Academy of Missile and Artillery Sciences (PAPAH) which specializes in research and development for strengthening Russia’s defense industrial complex.
- Information from a Russian recruitment website, linked to CNIIHM’s official domain, indicates that CNIIHM is also dedicated to the development of intelligent systems for computer-aided design and control, and the creation of new information technologies (Figure 4).
Figure 4: CNIIHM website homepage
Primary Alternative Explanation Unlikely
Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP.Veles to CNIIHM without their employer’s approval. However, this scenario is highly unlikely.
- In this scenario, one or more persons – likely including at least one CNIIHM employee, based on the moniker discussed above – would have had to conduct extensive, high-risk malware development and intrusion activity from CNIIHM’s address space without CNIIHM’s knowledge and approval over multiple years.
- CNIIHM’s characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity. TRITON is a highly specialized framework whose development would be within the capability of a low percentage of intrusion operators.
I was absolutely hooked from page 1. As I have told dozens of friends since then, his story-telling vehicle is quite good. The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait. What is a white card?"
|My copy of the book!|
As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling. These and many of the other characters in this book appeared regularly in this blog. (A list is at the bottom of this article)
Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them. Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.
The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison. Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside. The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.
Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work." It's clear that he took feedback like this seriously. The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.
A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker
The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.
I seriously debated whether I should support this book. Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job. It is a moral dilemma. Do I lend assistance to a many who stole millions of dollars from thousands of Americans? Read the book. To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison. I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."
Links to selected blog articles that feature Pavlovich's cast of characters:
May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.
August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.
August 8, 2008 TJX: the San Diego Indictments where the US government indicts:
- SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
- DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
- SERGEY VALERYEVICH STORCHAK, aka Fidel
May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.
Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.
Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.
As reported in the Hunton Nickel Report:
Recent press reports indicate that a cyber attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of an FBI and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government institutions, including the Federal Energy Regulatory Commission (“FERC”). These incidents raise questions about cybersecurity across the U.S. pipeline network.
Federal oversight of pipeline safety and security is split respectively between the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (“PHMSA”) and DHS’s Transportation Safety Administration (“TSA”). PHMSA and TSA signed a Memorandum of Understanding in 2004, which has been continually updated, coordinating activity under their jurisdictions over pipelines. Pipeline security activities within TSA are led by the Pipeline Security Division.
Notably, the Implementing Recommendations of the 9/11 Commission Act of 2007, codified at 6 U.S.C. 1207(f), authorizes TSA to promulgate pipeline security regulations if TSA determines that doing so is necessary. To date, TSA has opted not to issue pipeline security regulations, instead preferring a collaborative approach with industry through its Pipeline Security Guidelines, which were updated just last month. Nevertheless, growing risks are leading to calls for mandatory oil and gas pipeline cybersecurity regulations. Some assert that pipelines should adopt a regime similar to electric grid regulations under Critical Infrastructure Protection (“CIP”) Standards, issued by the North American Electric Reliability Corporation (“NERC”) and approved by FERC.
Containing numerous critical infrastructure elements across a vast and far-flung network that carries a commodity critical to public welfare, the U.S. oil and gas pipeline network shares many characteristics with the electric grid. Furthermore, the growing interconnection of information systems, as well as of the economy in general, increases the potential for events in one sector, particularly energy, to have cross-sectoral impacts. For these reasons, there is legitimate concern that a cyber attack leading to an oil and gas pipeline disruption could have wide-reaching effect, especially in light of the electricity subsector’s growing reliance on natural gas for generation.
However, there are important differences between the electric grid and pipeline system, most notably in the risk of cascading impacts, that may distinguish the appropriateness of regulations that set a baseline for cybersecurity. Events at an individual pipeline can result in cascading disruption both upstream and downstream in the oil and gas production process, as well as beyond to other sectors. Yet the electricity grid, where systems are more closely tied together, is unique in that a localized event can quickly result in a cascading failure of other operational technology across the grid. This was evidenced by blackouts throughout the Northeast in the 1970s and 2003, which were responsible for spurring the creation of NERC and its reliability standards. NERC CIP Standards, which only apply to systems connected to the electric grid, provide assurance to electricity subsector critical infrastructure owners and operators that other connected systems must adhere to a cybersecurity “floor.” The NERC CIP Standards require measures to mitigate risk that the actions of one grid participant will not cascade to damage the systems of others on the grid. This is not the case with oil and gas pipelines, where cybersecurity regulations may actually divert resources from actual operational security and toward pure compliance.
Concerns about electric-gas coordination may point to issues beyond cybersecurity, and toward the electricity subsector’s growing vulnerability to common-mode disruption. As noted by NERC after its GridEx IV security exercise, meeting challenges in the electric grid’s ever-evolving threat environment may require “consider[ing] whether the diversity of fuel sources (today and into the future) presents a vulnerability to common mode failures or disruptions.”
It should be noted that certain oil and gas facilities, though not necessarily pipelines, are already subject to cybersecurity requirements under DHS’s Chemical Facility Anti-Terrorism Standards (“CFATS”). The CFATS Risk Based Performance Standard 8 outlines cybersecurity measures subject to DHS review during a CFATS inspection.
There are, of course, steps that oil and gas companies can take beyond regulatory compliance to mitigate risk of cyber attack. In December 2016, PHMSA and TSA issued a joint notice, after activists tampered with certain pipelines, discussing steps to harden SCADA control systems on pipeline operational technology, including segregating the control system network from the corporate network, limiting remote access to control systems, and enhancing user access controls. In addition, all companies, including those in the oil and gas subsector and beyond, should consider engaging in an efficient and highly tactical incident response planning process that incorporates all necessary stakeholders across the enterprise, including those from both information technology and legal.
Oil and gas companies seeking further risk mitigation should also consider certifying or designating their cybersecurity programs under the Support Anti-Terrorism by Fostering Effective Technologies Act (“SAFETY Act”). Overseen by the DHS SAFETY Act Office, the act provides significant liability protections where an approved technology or service is deployed to counteract an “act of terrorism.” Such an act of terrorism is determined by DHS, need not be politically motivated, and can include a cyber attack. While not necessarily applicable to lower scale cybersecurity incidents (by comparison, the Boston Marathon bombing was not designated an act of terrorism), SAFETY Act liability protections can mitigate risk posed to companies by a cyber attack with catastrophic consequences.
On March 15, 2018, the Trump Administration took the unprecedented step of publicly blaming the Russian government for carrying out cyber attacks on American energy infrastructure. According to a joint Technical Alert issued by the Department of Homeland Security and the FBI, beginning at least as early as March 2016, Russian government cyber actors carried out a “multi-stage intrusion campaign” that sought to penetrate U.S. government entities and a wide range of U.S. critical infrastructure sectors, including “organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.”
The attacks involved the Russian government gaining remote access to energy sector networks and other intended targets via malware and spear phishing of “staging targets” that had preexisting relationships with the intended targets. Once the hackers gained access to their intended targets, they used that access to conduct network reconnaissance and collect information on Industrial Control Systems and Supervisory Control and Data Acquisition infrastructure, among other attacks. Although Russia’s motive was not clear, “cyber security experts and former U.S. officials say such behavior is generally espionage-oriented with the potential, if needed, for sabotage.” Indeed, the Russian government has also been linked to attacks on the Ukrainian energy grid in 2015-2016 that “caused temporary blackouts for hundreds of thousands of customers and were considered first-of-their-kind assaults.”
The Technical Alert includes recommended detection and prevention guidelines for network administrators to help defend against similar attacks in the future.
What were the hottest privacy and cybersecurity topics for 2017? Our posts on the EU General Data Protection Regulation (“GDPR”), EU-U.S. Privacy Shield, and the U.S. executive order on cybersecurity led the way in 2017. Read our top 10 posts of the year.
Article 29 Working Party Releases GDPR Action Plan for 2017
On January 16, 2017, the Article 29 Working Party (“Working Party”) published further information about its Action Plan for 2017, which sets forth the Working Party’s priorities and objectives in the context of implementation of the GDPR for the year ahead. The Action Plan closely follows earlier GDPR guidance relating to Data Portability, the appointment of Data Protection Officers and the concept of the Lead Supervisory Authority, which were published together by the Working Party on December 13, 2016. Continue reading…
Privacy Shield: Impact of Trump’s Executive Order
On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework. Continue reading…
CNIL Publishes Six Step Methodology and Tools to Prepare for GDPR
On March 15, 2017, the French data protection authority (the “CNIL”) published a six step methodology and tools for businesses to prepare for the GDPR that will become applicable on May 25, 2018. Continue reading…
German DPA Publishes English Translation of Standard Data Protection Model
On April 13, 2017, the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information published an English translation of the draft Standard Data Protection Model. The SDM was adopted in November 2016 at the Conference of the Federal and State Data Protection Commissioners. Continue reading…
President Trump Signs Executive Order on Cybersecurity
On May 11, 2017, President Trump signed an executive order (the “Order”) that seeks to improve the federal government’s cybersecurity posture and better protect the nation’s critical infrastructure from cyber attacks. The Order also seeks to establish policies for preventing foreign nations from using cyber attacks to target American citizens. Read the full text of the Order.
Bavarian DPA Tests GDPR Implementation of 150 Companies
Article 29 Working Party Releases Opinion on Data Processing at Work
The Working Party recently issued its Opinion on data processing at work (the “Opinion”). The Opinion, which complements the Working Party’s previous Opinion 08/2001 on the processing of personal data in the employment context and Working document on the surveillance of electronic communications in the workplace, seeks to provide guidance on balancing employee privacy expectations in the workplace with employers’ legitimate interests in processing employee data. The Opinion is applicable to all types of employees and not just those under an employment contract (e.g., freelancers). Continue reading…
New Data Protection Enforcement Provisions Take Effect in Russia
As reported in BNA Privacy Law Watch, on July 1, 2017, a new law took effect in Russia allowing for administrative enforcement actions and higher fines for violations of Russia’s data protection law. The law, which was enacted in February 2017, imposes higher fines on businesses and corporate executives accused of data protection violations, such as unlawful processing of personal data, processing personal data without consent, and failure of data controllers to meet data protection requirements. Whereas previously fines were limited to 300 to 10,000 rubles ($5 to $169 USD), under the new law, available fines for data protection violations range from 15,000 to 75,000 rubles ($254 to $1,269 USD) for businesses and 3,000 to 20,000 rubles ($51 to $338 USD) for corporate executives. Continue reading…
CNIL Publishes GDPR Guidance for Data Processors
On September 29, 2017, the French Data Protection Authority published a guide for data processors to implement the new obligations set by the GDPR. Continue reading…
Article 29 Working Party Releases Guidelines on Automated Individual Decision-Making and Profiling
On October 17, 2017, the Working Party issued Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines aim to clarify the GDPR’s provisions that address the risks arising from profiling and automated decision-making. Continue reading…
As reported in BNA Privacy Law Watch, on August 22, 2017, the Russian privacy regulator, Roskomnadzor, announced that it had issued an order (the “Order”), effective immediately, revising notice protocols for companies that process personal data in Russia. Roskomnadzor stated that an earlier version of certain requirements for companies to notify the regulator of personal data processing was invalidated by the Russian Telecom Ministry in July.
The Order requires companies to notify Roskomnadzor in advance of personal data processing, including information on safeguards in place to prevent data breaches and whether the company intends to transfer data outside Russia (and, if so, the countries to which the data will be transferred). Companies must also confirm their compliance with Russia’s data localization law, which requires that companies processing personal data of Russian citizens store that data on servers located within Russia. In conjunction with the Order, Roskomnadzor released a new notification form that companies may use to communicate with the regulator.
As reported in BNA Privacy & Security Law Report, on August 9, 2017, the Russian privacy regulator, Roskomnadzor, expanded its list of nations that provide sufficient privacy protections to allow transfers of personal data from Russia. Russian law allows data transfers to countries that are signatories to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the “Convention”), and to certain other non-signatory countries deemed by Roskomnadzor to have adequate privacy protections based on relevant data protection laws, privacy regulators and penalties for privacy law violations.
The new authorized countries are Costa Rica, Gabon, Kazakhstan, Mali, Qatar, South Africa and Singapore. They join Angola, Argentina, Benin, Canada, Cape Verde, Chile, Israel, Malaysia, Mexico, Mongolia, Morocco, New Zealand, Peru, South Korea and Tunisia. The United States is neither a signatory to the Convention nor on Roskomnadzor’s list of countries with adequate privacy protections to permit personal data transfers from Russia.
As reported in BNA Privacy Law Watch, on July 1, 2017, a new law took effect in Russia allowing for administrative enforcement actions and higher fines for violations of Russia’s data protection law. The law, which was enacted in February 2017, imposes higher fines on businesses and corporate executives accused of data protection violations, such as unlawful processing of personal data, processing personal data without consent, and failure of data controllers to meet data protection requirements. Whereas previously fines were limited to 300 to 10,000 rubles ($5 to $169 USD), under the new law, available fines for data protection violations range from 15,000 to 75,000 rubles ($254 to $1,269 USD) for businesses and 3,000 to 20,000 rubles ($51 to $338 USD) for corporate executives.
Additionally, the law allows the Russian data protection authority (Roskomnadzor), to initiate administrative enforcement proceedings for alleged data protection violations. Previously, enforcement of the data protection law was undertaken by the Prosecutors’ Office.
Read about groups and types of targeted threats here: Mitre ATT&CK
- APT28_2014-10_TrendMicro Operation Pawn Storm. Using Decoys to Evade Detection
- APT28_2015-07_Digital Attack on German Parliament
- APT28_2015-10_New Adobe Flash Zero-Day Used in Pawn Storm
- APT28_2015-10_Root9_APT28_targets Financial Markets
- APT28_2015-12_Kaspersky_Sofacy APT hits high profile targets
- APT28_2016-02_PaloAlto_Fysbis Sofacy Linux Backdoor
- APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee << DNC (NOTE: this is APT29)
- APT28_2016-07_Invincea_Tunnel of Gov DNC Hack and the Russian XTunnel
- APT28_2016-10_ESET_Observing the Comings and Goings
- APT28_2016-10_ESET_Sednit A Mysterious Downloader
- APT28_2016-10_ESET_Sednit Approaching the Target
- APT28_2016-10_Sekoia_Rootkit analysisUse case on HideDRV
- APT28_2017-02_Bitdefender_OSX_XAgent << OSX XAgent
Download sets (matching research listed above). Email me if you need the password
Download all files/folders listed (72MB)
This post has been updated.
On November 10, 2016, the Court of Appeal for Moscow’s Taginsky District upheld an August 2016 decision by the district’s lower court that LinkedIn had violated Russian data protection laws. Access to the professional networking site is now set to be blocked across Russia.
The court’s decision, which followed a complaint from the Russian data protection regulator, Roskomnadzor, found that LinkedIn violated Russian data protection law on two counts:
- not storing data about Russians on servers located in Russian territory; and
- processing information about individuals who are not registered on the LinkedIn website and who have not signed the company’s user agreement.
This is thought to be the first time Russia’s data localization law has been enforced since its entry into force in September 2015. The law requires that data relating to Russian citizens be stored on servers physically located inside Russia’s borders. Although LinkedIn does not have a physical presence in Russia, it operates a Russian-language version of its website, which was enough to convince Roskomnadzor and the court that the company is subject to Russian data protection legislation.
Media reports have cited Roskomnadzor’s claim that it contacted LinkedIn to inquire about its data localization practices, but did not receive a substantive response. LinkedIn, however, has argued that Roskomnadzor communicated with its U.S. office instead of LinkedIn Ireland, the entity responsible for the data of non-U.S. citizens. LinkedIn is reportedly eager to enter into dialogue with Roskomnadzor to find a solution to the issue, and also has the option to appeal the decision to the Russian Supreme Court.
Roskomnadzor has the power to block Russian individuals’ access to websites, and has stated that it plans to block access to LinkedIn. The site will be entered into a special registry of websites operating in violation of the data localization law, and will be blocked three business days after being entered into the registry.
UPDATE: On November 17, 2016, the Russian data protection regulator, Roskomnadzor, officially blocked access to LinkedIn for its alleged violation of Russian data protection law.
On January 13, 2016, the Russian Data Protection Authority (Roscommandzor) released its plan for audits this year to assess compliance with Russia’s data localization law, which became effective on September 1, 2015. The localization law requires companies to store the personal data of Russians in databases located in Russia. The audit plan indicates that the Roscommandzor will audit large, multinational companies doing business in numerous jurisdictions and processing the personal data of Russian citizens.
On December 31, 2014, Russian President Vladimir Putin signed legislation to move the deadline for compliance to September 1, 2015, for Federal Law No. 242-FZ (the “Localization Law”), which requires companies to store the personal data of Russian citizens in databases located in Russia. The bill that became the Localization Law was adopted by the lower chamber of Russian Parliament in July 2014 with a compliance deadline of September 1, 2016. The compliance deadline was then moved to January 1, 2015, before being changed to September 1, 2015 in the legislation signed by President Putin.
The Russian law firm ALRUD reports that the Localization Law creates a new obligation to store personal data of Russian citizens in Russia, meaning that companies located outside Russia “will be forced to place their servers within Russia if they plan to continue making business in the market.” The exact purview of the Localization Law is somewhat ambiguous, but the law requires data operators to ensure that the recording, systemization, accumulation, storage, revision (updating and amending), and extraction of personal data of Russian citizens occur in databases located in Russia. As an example of the ambiguity regarding the scope of the Localization Law, it is unclear whether the law applies to companies that collect personal data from Russian customers but have no physical presence in Russia. In addition, it is unclear whether the law will affect the cross-border transfers of personal data from Russia to foreign jurisdictions.
Last week, the Russian Parliament adopted a bill amending portions of Russia’s existing legislation on privacy, information technology and data protection. Among other provisions, the law would create a “data localization” obligation for companies engaged in the transmission or recording of electronic communications over the Internet. Such companies would be required to store copies of the data for a minimum of six months in databases that must be located within the Russian Federation. The new bill also would empower the Russian data protection authority to block public Internet access to any service that does not comply with this requirement.
It appears the amendments are aimed at preventing foreign intelligence services from accessing Russian citizens’ data, as well as facilitating such access by Russia’s own law enforcement agencies. Some commentators have suggested that the new bill also is intended to encourage the development of home-grown online services in Russia.
Earlier this year, the European Union’s highest court struck down a broadly comparable data retention requirement, and Brazilian lawmakers withdrew the data localization provision from a legislative proposal in the face of opposition from Internet companies.
Reports indicate that, subject to the approval of the upper house of Russia’s Parliament and signature by President Vladimir Putin, the law will become effective in the second half of 2016.